Hey guys,

i found that piece of probably mal or spamware. it is packed with a custom wrapper. interesting is that jotti online scan didn't detect anything. maybe its of interest for someone here.

regards,
OHPen

malware password: "malware"

hi,
The custom wrapper seems just like RxcNnmtP which Cthulhu posted on another thread and yeah my av doesn't detect either

Yeah, same shit, different name.

Take a look at this weeks installment of Dancho Danchev's continuing series on the names of Fake Security Software. "systemguard2009" is one of the many aliases.


A Diverse Portfolio of Fake Security Software - Part Fifteen

http://ddanchev.blogspot.com/2009/02/diverse-portfolio-of-fake-security.html

hehe, didn't know that packer. seems that this packer is interesting if avs are so far not able to detect it

thx for that link, btw.

regards,
OHPen

Ah thats, cool i just read the articles from your link and its posted that the malware is from the RBN. Its the first time that i am confronted with the "work" of the RBN people.
that fact alone makes it intersting to take a deeper look for

>>if avs are so far not able to detect it

inverse!
this packer used with TDSS group malwares, easy detecteble-unpackable.
it not detected as virus, bcoz it is not! it is actually installer-downloader.

uploaded for you guys, just verify: is your GetSystemDefaultUILanguage
luky!?
@40c290 19 UILangs