Howdy,

A preface before I begin.

I dont play around with mals or virs or troj's.
When I get them I delete them and run multiple AV's to make sure they are gone.

The story:

Since I have been seeing so many of them on the boxes I am now maintaining, I am trying to make an effort to save them so that all of you can take a look at perhaps find something interesting.

Remember, I will need some "learnin". I have no idea if the files I have saved are in fact the real thing or something an AV has cleaned up.
If you can lend me a hand in doing this I can promise you I will have a never ending supply of this "shit".

Woodmann

As always, beware of the contents.

If your perhaps becomes infected by a trojan then the trojan might indeed
phone home to the undead indeed :-O







Sorry for that but the title triggered a playing with words and as words
are also just another kind of endangered species - you have to play with
them while they still exist... :-)

marco,

I can appreciate how you play with words .

When I read the first line I laughed to myself. Now if only I could describe how I see that play on words.........

I put a dirty trojan on my perhaps and now it is infected .

Woodmann

mostly repacked TDSS group malware.

btw, downloaded some GIFs, which have little image, but big file-size.
GIF uses lossless compression on 24bit images, so can keep any data.
how-to decompress them directly?

An image viewer?

uff.. ingeniuos help.

seems data is attached at GIF without packing. and then decrypted as exe-files.

new exe-files are generated automatically, packed with UPX, crypted with castom tr-cryptor, attached to GIFs. this all is automated process!

Virus attached to images.............

Now I know .

Thanks, Don Wooma

you can attack this servers =)

http://superimagesart.com/item/.../609/titem.gif
http://thenewpic.com/item/..
http://stockshopimages.com/perce/../90b/qwerce.gif
http://imagesoffline.com/perce/..
http://theimagesphoto.com/werber/803/217.gif

Well.........

Those are not real places according to my browser .

You want another rar 'o mals ?

Woodmann

you can start downloader 4a657d55.exe. just you need prevent new process creation from this downloader.

"image"-server addresses are changing, but main redirector server is
http://reportsystem32.com/senm.php?data=[YOUR PC DATA ENCODED]==

so this should attacked.

do you see in your browser these servers:
studioofimages.com
pixphotos.com
imgesinstudioonline.com
imagesplusonline.com

***
upload more qualified malware

Why yes those sites do seem to be real.
They all returned a "forbidden" .

Why would they deny me the mal's I so richly deserve?

As for more qualified mal's, I only rar them, I dont play with them .

I will get some more uploaded tonight or tomorrow.

Woodmann

I deleted KAV and all other (antivirus) programs because they use too much resources of a pc ... and they always scanning something