MW-Blog

I was digging through my stash for something interesting when I spotted a small file, only 2048 bytes in size. When looking at the strings, besides some few imports like LoadLibraryA, it contained only two strings:

Hello World!
HI THERE

There were also some garbage strings there that looked like being encrypted with xor.

A little look in IDA showed there were various strings being decrypted and then resolved into API pointers:

Now, why would a Hello World! program have encrypted strings? Debugging it a bit showed it was decrypting API names like OpenProcess, WriteProcessMemory, CreateRemoteThread etc.

After decrypting the strings, it calls FindWindowA with “shell_traywnd” as an argument. So basically it’s looking for the explorer.exe process. Let’s fire up the good ‘ol decoy.exe and redirect the program there:

The ProcessId 7438h belongs to our decoy. After it opens a handle to the target process it reserves 2048 (800h) bytes of memory:

Then, stuff is written into our decoy.exe:

It creates a remote thread in decoy.exe and then terminates itself. The remote thread in question displays the messagebox containing the Hello World! string and exits. It seems that the program in question is some kind of tutorial in process injection. It got tagged as malware for using the same techniques as malwares commonly do: encrypted strings and injecting code into another process.

This entry was posted on Sunday, April 8th, 2007 at 6:57 am and is filed under Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.