Hi everyone!

I just found the trojan, mentioned in the subject, residing on my harddrive. Decompiling it resulted in a file called "wincfgid.exe" which I tried to disassemble.

Unfortunately the file seems to be scrambled or packed with some tool I don't know.

I would appreciate any help in finding out how to deal with this!

TIA,
Bergheim

Hello,

I checked it out, it appears to be packed with UPX. It is not unpackable through upx (commandline switch -d) however, because a scrambler has been used. So we will need to manually unpack this. For UPX this is quite a simple process, just get ProcDump and HIEW.. (google it ;))
For the general process, I'd say look for a tutorial on manually unpacking it. First one I found was
http://66.102.9.104/search?q=cache:9oxGVjB...&hl=en&ie=UTF-8 (http://66.102.9.104/search?q=cache:9oxGVjBnG44J:ddcrack.myetang.com/crackit/crackme/FriC7_Sol_Code_Inside.txt+manually+unpacking+upx+c rackme+7&hl=en&ie=UTF-8)

But there might well be better ones out there.. Have a look for yourself.. Manually unpacking is done a lot, and UPX is a common packer, so it shouldn't be hard to find a good essay about it ;)

Make sure you don't mess things up and accidentally run the trojan.exe... Like I did. *cough*

laters,
KW

Ooops :-)

Thanks for your reply and the link to the tutorial!

What did happen when you accidentially run the trojan?

Thanks again,
Bergheim

Only minor problems, nothing I couldn't fix (as far as I know of course ;))
But still, it gave me quite a scare ;-)
What happened was by the way, was that I placed an infinite loop (EBFE) at the wrong location, one that never got executed. So execution proceeded as normal..
http://its.mine.nu/misc_crap/not_good.png shows what I saw then ;)
Afterwards I did some cleaning etc, so I should be ok now anyway

KW

I'm glad nothing serious happened to your machine :-)

I worked through the unpacking tutorial you talked about and found an OEP of 1040, the 61E9 but I'm still struggeling with the EBFE trick (even though I understand what it does) - furthermore SoftIce won't run under my XP Pro - for what reason ever...

But there's a whole Sunday to come ;-)

Thanks for your help!

Begheim

Poor kw, wounded in the line of duty.

Aren't these not the best moderators?

:)

The link appears to be broken.

I'd actually like to have a look at it myself and wouldn't
mind if you could aid me in obtaining a copy.

Thanks.

I no longer have the file, maybe the original poster does?

-kw