The guys running the Virut botnet are dealing out new malware again. The new file being downloaded is about 30k in size, and it’s packed with UPX. The some kind of obscuring layer on top of UPX, but it’s pretty trivial to bypass. (more…)
Ever thought what kind of stuff you keep on your clipboard when you browse the network?
Maybe you keep your account numbers/usernames/passwords in a separate files, and copy/paste them to webpages when you need to. But do you clear the clipboard after that?
Excerpt:
The Change Analysis Diagnostic simplifies the identification of recent
changes to computers running Windows XP. The diagnostic checks for
recent changes to the following:
• Operating system components, such as patches, that are installed as
hotfixes or downloads from Windows Update.
• Installed application entries listed in the Add or Remove Programs
control panel.
• All kernel mode device and file system drivers.
• Browser helper objects loaded by Internet Explorer.
• ActiveX controls loaded by Internet Explorer.
• Programs loaded automatically during Windows XP startup.
• Programs and Dynamic Link Libraries (DLLs) loaded when an application
starts.
For complete article see:
Microsoft downloads
http://support.microsoft.com/kb/924732
The gang behind the file infecting virus tagged as Virut are commanding more malware to be downloaded:
 (more…)
NsPack is a commercial packer sold by North Star Software. NsPack is quite a common packer used in malware, with the packing usually done with cracked and pirated versions of the software. (more…)
PE-PACK is a remnant from the old days. Released in 1998 by ANAKiN, it isn’t uncommon to stumble onto variant packed with it even today. I received a spam today that had a malware packed with PE-PACK. The malware itself was quite unrecognized by AV’s. It’s a mass-mailing worm detected either as W32.Huegone or W32/Walla, and it targets Arabic or Persion computers only. It contains some cscript and whatnot, but enough on the malware itself, let’s get back to the packer. (more…)
Increasing numbers of malware are injecting code into other processes whether to stay better hidden or to hook some vital functionalities. When debugging these for analysis things get tricky when you might have to be debugging two different processes. On top of that, if you’ve ever debugged something that injects into lsass.exe or other critical processes and the code sucks so much it bluescreens your whole computer you feel the sting when you lose valuable time due to reboot and redebugging. (more…)
People ask me (and I ask them) from time to time what tools I use when analyzing malicious files. I though I’d compile a list here, and if you guys (and gals) have others tools that are useful, send me a mail and I’ll update the post.