Virtob.si yet ready to infect you.. [Archive] - RCE Messageboard's Regroupment

View Full Version : Virtob.si yet ready to infect you..

evaluator

September 5th, 2010, 15:37

damn, today i did browse some old (jan 2010) downloaded samples..

789981e352460461755325a3c109ee95a7c81c51 *Virtob.si

cmon, they are ready to infect you at high level..
so there is not any normal anti-malware control over net..

http://ad.ghura.pl/rus.php
http://kdert.com/kb2.txt
http://kdert.com/wmp/dmq4.txt

pass: MALWARE

evaluator

September 6th, 2010, 11:45

also there is

http://kdert.com/wmp/adq1.txt
(Preloader)
it's loader is funny, uses WrProcMemory to overwrite self execution.

it then starts svchost process & injects there Loader module
which downloads file "ndis.sys"=OuterDrv (in first pack)

this "OuterDrv.sys" conteins sp2-ndis.sys & another "InnerDrv.sys", which again has slightly changed Loader-module.