Log in

View Full Version : in VB6 malware \Device\PhysicalMemory?

evaluator
January 24th, 2009, 17:04
extracted from dlf_loader VB6 progii, where i see string
"\Device\PhysicalMemory"

program is PCode, can't much understood it.
can VB-prog go so far??

EDIT Kayaker: zip files password: malware
evilcry
January 25th, 2009, 02:29
VB is gigantic and is really strange how a such engineered kind of executable
has a so long life in form of malware

I've not seen this particular application but surely is going to infect MBR, all you need is the ability to open/read/write a file

Regards,
Giuseppe 'Bonfa' Evilcry
evaluator
January 25th, 2009, 04:31
i'm not about MBR, but PhysicalMemory;

now i disassmed it in P23dasm & see, here, in pcode is released /ZwOpenSection/MapViewOfFile
code..
rzr
January 25th, 2009, 09:15
No MBR stuff at all.

It is most likely trying to access to Windows kernel without using driver. It's a common technique, often used by malware to reset SSDT hooks (but you can do everything you want).

Yes, VB can do that, every kind of programming language that is able to use Windows APIs can do that
evaluator
January 26th, 2009, 04:03
i know about VB only: it should not run on my pc : )

ok, i now, it can manipulate APIs, but then there need also precise code to deal with PhysicalMemory.
can such work done in PCode only? (for example "reset SSDT hooks", as you said)
rzr
January 26th, 2009, 05:06
You can even do you own ntfs parser in VB
Kayaker
January 26th, 2009, 23:59
Hi

This is a message for anyone who wants to attach malware to this forum.

As per the Malware Forum RULES ("http://www.woodmann.com/forum/showthread.php?t=9907") sticky thread at the top of the forum, PLEASE password protect your zip or rar files to protect anyone from inadvertently becoming infected.

Ideally it would also be nice to rename *.exe file extensions to something like *.ex_ or *.vxe or whatever, so no one will accidently double click on them (all it takes is a faulty left mouse button). This isn't *entirely* necessary if the zip files are at least password protected, but it doesn't hurt.


I have reuploaded the unprotected zip file above with the password malware.


However, if I or any of the other moderators find any unprotected files in the future, they will simply be deleted in order to protect the innocent. (No need to upset the McAfee Site Advisor either )

Thanks all,
Kayaker