home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
telefisk.org
/
virusCollection.lzx
/
VirusResearch
/
amitomb
/
analysis.txt
< prev
next >
Wrap
Text File
|
2012-12-13
|
5KB
|
115 lines
Analysis 1:
Check out the grabs below from the GRAPHICS libraries I resourced
Since I didn`t find any encoded code I just did a hex read. Well
I hope you all agree that when you encounter the stuff below in
GRAPHICS libraries, that it makes you think twice now doesn`t
it? So, only on outer look I could say that there is indeed
something wrong with these libs.
Analysis 2:
EXACTLY the same in graphics.library was ALSO found in
controls.xls which means that my suspicion is growing bigger.
Also the display.xls is the same size as controls.xls and
graphics.library and contains EXACTLY the same code inside.
All reffering to Amitcp.
Analysis 3:
The tombraider.library is encoded. Not heavily but enough to
become suspicious since the decoding of the code seems a bit
more complicated then it looks at first. Or in other words:
it is supiciously diffcult, too difficult to just be a way
to protect the code. I haven`t decoded it yet since I haven`t
had the time to built a decoder but I guess there would appear
something pretty weird after decoding... maybe even very
dangerous.
Graphics.xls
000008C0: 610023E6 4E5D4CDF 5C004E75 00000041 a.#æN]Lß\.Nu...A
000008D0: 4D617271 75656520 53657276 65722054 Marquee Server T
000008E0: 43502048 616E646C 65720041 4D617271 CP Handler.AMarq
000008F0: 75656520 486F7374 20544350 2048616E uee Host TCP Han
00000900: 646C6572 00414D61 72717565 6520436C dler.AMarquee Cl
00000910: 69656E74 20544350 2048616E 646C6572 ient TCP Handler
00000920: 00000000 48E70032 26482449 9DCE200A ....Hç.2&H$I.Î .
00002940: 0010202F 0014222F 00187000 265F4E75 .. /.."/..p.&_Nu
00002950: 62736473 6F636B65 742E6C69 62726172 bsdsocket.librar
00002960: 79006273 64736F63 6B65742E 6C696272 y.bsdsocket.libr
00002970: 61727900 62736473 6F636B65 742E6C69 ary.bsdsocket.li
00002980: 62726172 7900256C 69206279 74657320 brary.%li bytes
00002990: 6C65616B 65642E00 206F0004 226F0008 leaked.. o.."o..
000029A0: 202F000C 2F09B3C8 67666300 007AD1C0 /../..Ègfc..zÑÀ
000029B0: D3C03208 E289655E 3209E289 6558B0BC ÓÀ2.â.e^2.â.eX..
Graphics.library
00000030: 00040000 001E802E 09000000 001E0000 ................
00000040: 002C0000 004C6978 6E65742E 6C696272 .,...Lixnet.libr
00000050: 61727900 69786E65 74203436 2E31205B ary.ixnet 46.1 [
00000060: 36383030 305D2028 33302E33 2E393729 68000] (30.3.97)
00000AB0: FF22241F 2C5F4E75 2F416D69 5443502F ÿ"$.,_Nu/AmiTCP/
00000AC0: 64622F6E 6574776F 726B7300 48E73002 db/networks.Hç0.
00000D10: 00084EAE FF04241F 2C5F4E75 2F416D69 ..N.ÿ.$.,_Nu/Ami
00000D20: 5443502F 64622F70 726F746F 636F6C73 TCP/db/protocols
00001480: 20414EAE FF10241F 2C5F4E75 2F416D69 AN.ÿ.$.,_Nu/Ami
00001490: 5443502F 64622F73 65727669 63657300 TCP/db/services.
000014A0: 48E73002 242F0010 20790000 00202068 Hç0.$/.. y... h
000017C0: 00002768 4CDF4C04 4E754E6F 20616464 ..'hLßL.NuNo add
000017D0: 72657373 20617373 6F636961 74656420 ress associated
000017E0: 77697468 206E616D 6500556E 6B6E6F77 with name.Unknow
000017F0: 6E207365 72766572 20657272 6F720048 n server error.H
00001800: 6F737420 6E616D65 206C6F6F 6B757020 ost name lookup
00001810: 6661696C 75726500 556E6B6E 6F776E20 failure.Unknown
00001820: 686F7374 00457272 6F722030 003A2000 host.Error 0.: .
00001830: 556E6B6E 6F776E20 6572726F 72000A00 Unknown error...
00001D70: 2E0A426F 7468206C 69627261 72696573 ..Both libraries
00001D80: 2073686F 756C6420 68617665 20746865 should have the
00001D90: 2073616D 65207665 7273696F 6E2C2074 same version, t
00001DA0: 68657265 666F7265 2069786E 65742E6C herefore ixnet.l
00001DB0: 69627261 72790A77 6F6E2774 20626520 ibrary.won't be
00001DC0: 75736564 2E006273 64736F63 6B65742E used..bsdsocket.
00001DD0: 6C696272 61727900 416D6954 43503A6C library.AmiTCP:l
00001DE0: 6962732F 75736572 67726F75 702E6C69 ibs/usergroup.li
00001DF0: 62726172 7900736F 636B6574 2E6C6962 brary.socket.lib
00001E00: 72617279 0000DEFC FFA448E7 383A2C79 rary..Þüÿ.Hç8:,y
Conclusion:
At first glance I would say that this is at least very suspicious,
especially since some data libraries are exactly the same and
suggest to contaoin something completely different i.e.: graphics
instead of tcp stuff or joystick and keyboard code instead of...
tcp stack usage...
After decoding of the tombraider library there will probably be
more to say about this archive but I think it is just a fat nasty
trojan.
3rd analysis:
Well, after trying to find how I could get a descend recog for
this monster thing, I could not find anything that would activate
the tcp libraries, so I can`t really say that the amitobmbraider
program is the real trojan, the tombraider.library is in fact a
renamed bullet.library. Here is what I found after I thought I
should check the rest:
graphic.library 17.152 13-Aug-97 7:38:42p ----rwed ixnet.library
display.xls 17.152 13-Aug-97 7:38:42p ----rwed ixnet.library
controls.xls 17.152 13-Aug-97 7:38:42p ----rwed ixnet.library
cyber.driver 6.324 15-Nov-97 2:23:02a ----rwed ECS.svdriver
AGA.driver 6.324 15-Nov-97 2:23:00a ----rwed ECS.svdriver
colorfix.xls 18.964 12-Jan-96 3:34:34p ----rwed destracker.library
TombRaider.library 28.960 02-Sep-92 11:51:32a ----rwed bullet.library
sound.xls 6.476 25-Aug-97 6:58:26p ----rwed arexx.class
Graphic.xls 15.268 11-Aug-97 11:46:16p ----rwed amarquee.library
The "virus" programmer must be one hell of an stupid ass...