Reversing this Trojan: http://216.115.95.98//38ble.chm

bergheim · #1 04-15-2004, 06:35 AM

Hi everyone!

I just found the trojan, mentioned in the subject, residing on my harddrive. Decompiling it resulted in a file called "wincfgid.exe" which I tried to disassemble.

Unfortunately the file seems to be scrambled or packed with some tool I don't know.

I would appreciate any help in finding out how to deal with this!

TIA,
Bergheim

kw · #2 04-16-2004, 10:30 AM

Hello,

I checked it out, it appears to be packed with UPX. It is not unpackable through upx (commandline switch -d) however, because a scrambler has been used. So we will need to manually unpack this. For UPX this is quite a simple process, just get ProcDump and HIEW.. (google it

)
For the general process, I'd say look for a tutorial on manually unpacking it. First one I found was
http://66.102.9.104/search?q=cache:9oxGVjB...&hl=en&ie=UTF-8

But there might well be better ones out there.. Have a look for yourself.. Manually unpacking is done a lot, and UPX is a common packer, so it shouldn't be hard to find a good essay about it

Make sure you don't mess things up and accidentally run the trojan.exe... Like I did. *cough*

laters,
KW

bergheim · #3 04-17-2004, 07:15 AM

Ooops :-)

Thanks for your reply and the link to the tutorial!

What did happen when you accidentially run the trojan?

Thanks again,
Bergheim

kw · #4 04-17-2004, 08:30 AM

Only minor problems, nothing I couldn't fix (as far as I know of course

)
But still, it gave me quite a scare ;-)
What happened was by the way, was that I placed an infinite loop (EBFE) at the wrong location, one that never got executed. So execution proceeded as normal..
http://its.mine.nu/misc_crap/not_good.png shows what I saw then

Afterwards I did some cleaning etc, so I should be ok now anyway

KW

bergheim · #5 04-17-2004, 10:47 AM

I'm glad nothing serious happened to your machine :-)

I worked through the unpacking tutorial you talked about and found an OEP of 1040, the 61E9 but I'm still struggeling with the EBFE trick (even though I understand what it does) - furthermore SoftIce won't run under my XP Pro - for what reason ever...

But there's a whole Sunday to come ;-)

Thanks for your help!

Begheim

nrindah0 · #6 10-12-2004, 02:45 AM

Poor kw, wounded in the line of duty.

Aren't these not the best moderators?

nrindah0 · #7 10-17-2004, 04:44 AM

The link appears to be broken.

I'd actually like to have a look at it myself and wouldn't
mind if you could aid me in obtaining a copy.

Thanks.

kw · #8 10-18-2004, 09:02 AM

I no longer have the file, maybe the original poster does?

-kw

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode