Log in

View Full Version : Trojan type infection perhaps?


Woodmann
June 16th, 2009, 22:12
Howdy,

A preface before I begin.

I dont play around with mals or virs or troj's.
When I get them I delete them and run multiple AV's to make sure they are gone.

The story:

Since I have been seeing so many of them on the boxes I am now maintaining, I am trying to make an effort to save them so that all of you can take a look at perhaps find something interesting.

Remember, I will need some "learnin". I have no idea if the files I have saved are in fact the real thing or something an AV has cleaned up.
If you can lend me a hand in doing this I can promise you I will have a never ending supply of this "shit".

Woodmann

As always, beware of the contents.

marcovaldo
June 17th, 2009, 17:16
If your perhaps becomes infected by a trojan then the trojan might indeed
phone home to the undead indeed :-O







Sorry for that but the title triggered a playing with words and as words
are also just another kind of endangered species - you have to play with
them while they still exist... :-)

Woodmann
June 17th, 2009, 19:20
marco,

I can appreciate how you play with words .

When I read the first line I laughed to myself. Now if only I could describe how I see that play on words.........

I put a dirty trojan on my perhaps and now it is infected .

Woodmann

evaluator
June 18th, 2009, 07:14
mostly repacked TDSS group malware.

btw, downloaded some GIFs, which have little image, but big file-size.
GIF uses lossless compression on 24bit images, so can keep any data.
how-to decompress them directly?

esther
June 18th, 2009, 08:09
An image viewer?

evaluator
June 19th, 2009, 15:22
uff.. ingeniuos help.

seems data is attached at GIF without packing. and then decrypted as exe-files.

new exe-files are generated automatically, packed with UPX, crypted with castom tr-cryptor, attached to GIFs. this all is automated process!

Woodmann
June 21st, 2009, 20:00
Virus attached to images.............

Now I know .

Thanks, Don Wooma

evaluator
June 22nd, 2009, 09:30
you can attack this servers =)

http://superimagesart.com/item/.../609/titem.gif
http://thenewpic.com/item/..
http://stockshopimages.com/perce/../90b/qwerce.gif
http://imagesoffline.com/perce/..
http://theimagesphoto.com/werber/803/217.gif

Woodmann
June 22nd, 2009, 18:30
Well.........

Those are not real places according to my browser .

You want another rar 'o mals ?

Woodmann

evaluator
June 23rd, 2009, 09:20
you can start downloader 4a657d55.exe. just you need prevent new process creation from this downloader.

"image"-server addresses are changing, but main redirector server is
http://reportsystem32.com/senm.php?data=[YOUR PC DATA ENCODED]==

so this should attacked.

do you see in your browser these servers:
studioofimages.com
pixphotos.com
imgesinstudioonline.com
imagesplusonline.com

***
upload more qualified malware

Woodmann
June 23rd, 2009, 20:07
Why yes those sites do seem to be real.
They all returned a "forbidden" .

Why would they deny me the mal's I so richly deserve?

As for more qualified mal's, I only rar them, I dont play with them .

I will get some more uploaded tonight or tomorrow.

Woodmann

Lula8r
August 24th, 2009, 06:02
Quote:
[Originally Posted by Woodmann;81157]Howdy,

A preface before I begin.

I dont play around with mals or virs or troj's.
When I get them I delete them and run multiple AV's to make sure they are gone.

The story:

Since I have been seeing so many of them on the boxes I am now maintaining, I am trying to make an effort to save them so that all of you can take a look at perhaps find something interesting.

Remember, I will need some "learnin". I have no idea if the files I have saved are in fact the real thing or something an AV has cleaned up.
If you can lend me a hand in doing this I can promise you I will have a never ending supply of this "shit".

Woodmann

As always, beware of the contents.


I deleted KAV and all other (antivirus) programs because they use too much resources of a pc ... and they always scanning something