Tuesday, May 5, 2009

W01f Labs @ work

I have just finish the behaviour analysis of a malware (collected). Below are the summary of my findings -

Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee)

On the VirusTotal website, 36 out of 40 AV detected it - Link

The registry key -
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec" was add, which add the malware path in to the Windows firewall rules and name it as "ipsec".

The malware is also trying to connect and download more malicious payload from "peskostruikaz.com" and "shopatforgetmenot.com".

For more details of my finding, visit W01f Labs

Do feel free to submit any malware or suspicious file to me. I will share the findings in my blog.

To submit malware sample,
1> Please password protect zip the file with the password "werew01f"
2> Email me at "hack.werew01f[at]gmail[dot]com" with the subject "Malware Sample"

No comments: