my USB another infection.. [Archive] - RCE Messageboard's Regroupment

View Full Version : my USB another infection..

evaluator

January 17th, 2014, 14:12

file "~$WX.FAT" is DLL;
it will executed via shortcut by "rundll32.exe";
it's exported function "crys" will load file "desktop.ini",
which is program code for download/decrypt/execute file from:
"http://suckmycocklameavindustry.in/"

crypted file is "Thumbs.db";
decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
it will unpack in "TEMP" folder these files:

"vesececune.ric",
"hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

"hewefuxasa.exe"s job is "vesececune.ric" management..;

ahm, tired..
continued, with second atatchment

"hewefuxasa.exe"s job is "vesececune.ric" management:
decrypt "vesececune.ric" (see "vesececune.ric_decoded.bin"

,
start new process and inject there executable code (see "in_vesececune.ric.EXE"

.

"in_vesececune.ric.EXE" is last wrapper.
it has removal code for temporary files "hewefuxasa.exe" & it's DLLs (see "for_deletion.bin"

;
and fianlly it has in resource true body (see "compressed_true_NSIS.bin" & "true_NSIS.bin"

;

here we arrived to updated version of malware:
http://www.woodmann.com/forum/showthread.php?15082-just-today-infected-USB-flash

it also has "msiexec.exe", but now as NSIS executable..

PS
password for zip: malware

Kayaker

January 17th, 2014, 19:06

You sure get infected a lot eval. I'd love to see your browser history

lia

January 21st, 2014, 07:27

Quote:

[Originally Posted by evaluator;96048]file "~$WX.FAT" is DLL;
it will executed via shortcut by "rundll32.exe";
it's exported function "crys" will load file "desktop.ini",
which is program code for download/decrypt/execute file from:
"http://suckmycocklameavindustry.in/"

crypted file is "Thumbs.db";
decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
it will unpack in "TEMP" folder these files:

"vesececune.ric",
"hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

"hewefuxasa.exe"s job is "vesececune.ric" management..;

ahm, tired..

PS
password for zip: malware

Hi, you have been infected by gamarue aka andromeda botnet. try running malware cleaner tools.

OHPen

January 21st, 2014, 08:11

@evaluator: yeah you are infected with a botnet! be careful. if you need further help, just ask lia, maybe you get help there ;DDDD

Good luck!

PS: Its always you eval, you have to be more careful when browsing the internet, its a dangerous place!

evaluator

January 21st, 2014, 10:54

I update 1st thread with new info & attachment.

Kayaker wrote:
You sure get infected a lot eval. I'd love to see your browser history
well, if you take precise look &r logic:
1. my USB-stick catches malware.
2. from other's PC; (such a low thoughts about my PC or me-infecting-my-USB-stick came from..)

lia, you got infected by Kayaker.
OHPen, may lia forgive you :~)

Woodmann

January 21st, 2014, 22:08

Sounds like my life. I stick my usb in to fix another computer and, VIOLA, insta-infected.

I remember the old days when I would use a CD with my weapons for cleaning on it.
When I was done, I threw the CD away.

Woodmann