bboitano
December 18th, 2009, 05:18
POSSIBLE MALWARE/BIOHAZARD
Link here : http://www.megaupload.com/?d=FGJXVWUL
Password : p@ssw0rd
I have submitted it to VirusTotal but it came back clean.
I was getting random redirects when searching in Firefox. I'd click on a link and end up at a random ebay shop or something. Adaware and Malwarebytes' Anti-Malware both reported my machine as clean.
Found this file in use by lots of applications on the system, tried to delete it and everything went haywire.
Now I have removed it from my registry run keys and renamed it, the problems have gone away.
The files itself is not packed, but does seem to be using some kind of flow obfuscation with lots of random jumps all over the place. Haven't had much time to investigate further, and am rapidly running out of talent to do so
so I though I would see if anyone else fancied investigating it.
Or at least confirm/deny my suspicions it is the culprit. So far I see that it installs a hook. There are a lot of registry/file imports but very few strings indicating that they may be encrypted and decrypted at runtime. Only two exports.
I hope someone finds it interesting. A great way to test out any new disassemblers you may have found recently
At least my new disassembler, an interactive one, handles the jumping flow obfuscation very nicely.
If it does turn out to be suspicious, as per the sticky from Kayaker "If you find an unknown malware and would like assistance in reversing it, or learn how to reverse it safely, then we can consider making it a communal Mini-Project in which all can participate." - I would be more than happy for it to become a Mini-Project - I know I would love to learn a little more about reversing these things safely.
If it is something less malign, well you can just point and laugh at my inexperience
Kindest regards
bb
Link here : http://www.megaupload.com/?d=FGJXVWUL
Password : p@ssw0rd
I have submitted it to VirusTotal but it came back clean.
I was getting random redirects when searching in Firefox. I'd click on a link and end up at a random ebay shop or something. Adaware and Malwarebytes' Anti-Malware both reported my machine as clean.
Found this file in use by lots of applications on the system, tried to delete it and everything went haywire.
Now I have removed it from my registry run keys and renamed it, the problems have gone away.
The files itself is not packed, but does seem to be using some kind of flow obfuscation with lots of random jumps all over the place. Haven't had much time to investigate further, and am rapidly running out of talent to do so
so I though I would see if anyone else fancied investigating it.Or at least confirm/deny my suspicions it is the culprit. So far I see that it installs a hook. There are a lot of registry/file imports but very few strings indicating that they may be encrypted and decrypted at runtime. Only two exports.
I hope someone finds it interesting. A great way to test out any new disassemblers you may have found recently
At least my new disassembler, an interactive one, handles the jumping flow obfuscation very nicely.If it does turn out to be suspicious, as per the sticky from Kayaker "If you find an unknown malware and would like assistance in reversing it, or learn how to reverse it safely, then we can consider making it a communal Mini-Project in which all can participate." - I would be more than happy for it to become a Mini-Project - I know I would love to learn a little more about reversing these things safely.
If it is something less malign, well you can just point and laugh at my inexperience
Kindest regards
bb