MSBasic Virus Blog

Writtin’ ASM

Fiend — Tue, 23 Sep 2008 00:20:54 +0000

I’m showin’ you an example of ASM Text, I recomend you to download MASM32 before, MASM is a compiler for ASM and it works completly nice, Download it here. Heres, the example you’re waiting:

[--- Cut Here ---]
%OUT————————————————————————-
%OUT- Written by MSBasic         -
%OUT————————————————————————-
; To compile:   TASM examp1.asm                                             -
;               TLINK examp1.obj                                            -
;—————————————————————————-
.model small
.stack
.data
message   db “Hello world, I’m learning Assembly !!!”, “$”

.code

main   proc
   mov   ax,seg message
   mov   ds,ax

   mov   ah,09
   lea   dx,message
   int   21h

   mov   ax,4c00h
   int   21h
main   endp
end main
[--- Cut Here ---]

If you want to download the full compiled file, click here.

-MSBasicx-

Aircrack is… win32????

Fiend — Mon, 22 Sep 2008 02:05:15 +0000

Today I’ve seen the most rare thing… Well I was just downloading Aircrack for windows (Aircrack is made for Ubuntu but I just wanted to Hex it), and well… I just scanned it with my AV and see what happened!:

I don’t use to see win32 processor files in Ubuntu Applications… And I found some WIN32 scripting in other applications in the 41 file, take a look:

[--- Cut Here ---]
MESSAGE “wzcook – Win32 Release” (based on “Win32 (x86) Console Application”)
!MESSAGE “wzcook – Win32 Debug” (based on “Win32 (x86) Console Application”)
!MESSAGE

# Begin Project
# PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName “”
# PROP Scc_LocalPath “”
CPP=cl.exe
RSC=rc.exe

!IF “$(CFG)” == “wzcook – Win32 Release”

# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 0
# PROP BASE Output_Dir “Release”
# PROP BASE Intermediate_Dir “Release”
# PROP BASE Target_Dir “”
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 0
# PROP Output_Dir “Release”
# PROP Intermediate_Dir “Release”
# PROP Target_Dir “”
# ADD BASE CPP /nologo /W3 /GX /O2 /D “WIN32″ /D “NDEBUG” /D “_CONSOLE” /D “_MBCS” /YX /FD /c
# ADD CPP /nologo /W3 /GX /O2 /D “WIN32″ /D “NDEBUG” /D “_CONSOLE” /D “_MBCS” /YX /FD /c
# ADD BASE RSC /l 0x40c /d “NDEBUG”
# ADD RSC /l 0x40c /d “NDEBUG”
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

!ELSEIF “$(CFG)” == “wzcook – Win32 Debug”

# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 1
# PROP BASE Output_Dir “Debug”
# PROP BASE Intermediate_Dir “Debug”
# PROP BASE Target_Dir “”
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 1
# PROP Output_Dir “Debug”
# PROP Intermediate_Dir “Debug”
# PROP Target_Dir “”
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D “WIN32″ /D “_DEBUG” /D “_CONSOLE” /D “_MBCS” /YX /FD /GZ /c
# ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D “WIN32″ /D “_DEBUG” /D “_CONSOLE” /D “_MBCS” /YX /FD /GZ /c
# ADD BASE RSC /l 0x40c /d “_DEBUG”
# ADD RSC /l 0x40c /d “_DEBUG”
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

!ENDIF

[--- Cut Here ---]
And This
[--- Cut Here ---]
Microsoft Developer Studio Workspace File, Format Version 6.00
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

###############################################################################

Project: “wzcook”=”.\wzcook.dsp” – Package Owner=<4>

Package=<5>
{{{
}}}

Package=<4>
{{{
}}}

###############################################################################

Global:

Package=<5>
{{{
}}}

Package=<3>
{{{
}}}

###############################################################################

aircrack-2.41/win32/wzcook/wzcook.ico 0000644 0000000 0000000 00000001376 10335345460 017455 0 ustar root root 0000000 0000000 è ( @ € € € €€ € € € €€ ÀÀÀ €€€ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿð ÿÿÿÿÿÿÿÿÿÿÿÿÿð ÿÿÿÿÿÿÿÿÿÿÿÿÿð ÿÿÿÿÿÿÿÿÿÿÿÿÿð ÿÿÿÿÿÿÿÿÿÿÿ÷ˆ ÿÿÿÿÿÿÿÿø ð x ÿÿÿÿÿÿÿ ÿð ÿp ÿÿÿÿÿð ÿð ÿÿ ÿÿÿÿÿ€ ÿÿð ÿÿp ÿÿÿÿ÷ ÿÿð ÿÿð ÿÿÿð ÿÿð ÿÿø ÿÿÿp ÿÿð ÿÿ÷ ÿÿÿ€ ÿÿð ÿÿÿ ÿÿÿ ÿÿÿð ÿÿÿ ÿÿÿ ÿÿÿð ÿÿÿ ÿÿÿ ÿÿÿð ÿÿÿ ÿÿÿ ÿÿÿð ÿÿ÷ ÿÿÿ ÿÿÿð ÿÿ÷ ÿÿÿ€ ÿÿð ÿÿø ÿÿÿp ÿÿð ÿÿð ÿÿÿð ÿÿð ÿÿ€ ÿÿÿø ÿÿð ÿ÷ ÿÿÿÿ ÿÿø ÿ€ ÿÿÿÿÿð ÿ÷ ÿÿÿÿÿÿ€ÿÿ€ ÿÿÿÿÿÿÿ÷€ÿ÷€ ˆÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ aircrack-2.41/win32/wzcook/wzcook.rc 0000644 0000000 0000000 00000003254 10335345460 017304 0 ustar root root 0000000 0000000 //Microsoft Developer Studio generated resource script.
//
#include “resource.h”

#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include “afxres.h”

/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS

/////////////////////////////////////////////////////////////////////////////
// French (France) resources

#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_FRA)
#ifdef _WIN32
LANGUAGE LANG_FRENCH, SUBLANG_FRENCH
#pragma code_page(1252)
#endif //_WIN32

/////////////////////////////////////////////////////////////////////////////
//
// Icon
//

// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDI_APP_ICON ICON DISCARDABLE “wzcook.ico”

#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//

1 TEXTINCLUDE DISCARDABLE
BEGIN
“resource.h”
END

2 TEXTINCLUDE DISCARDABLE
BEGIN
“#include “”afxres.h”"\r\n”
“”
END

3 TEXTINCLUDE DISCARDABLE
BEGIN
“\r\n”
“”
END

#endif // APSTUDIO_INVOKED

#endif // French (France) resources
/////////////////////////////////////////////////////////////////////////////

#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
[--- Cut Here ---]
I also found some html in the code, sorry for cutting links, It’s just that the AV companies are getting angry with me

Bored

Fiend — Sat, 20 Sep 2008 20:36:30 +0000

Well I created Error binary batch files to test on your computer… Try them and tell me whatsup with ‘em =D.

Download them here:
http://rapidshare.com/files/146940662/ISO_Libs.rar.html
Or use Mediafire (Don’t take risks with it):
http://www.mediafire.com/?44ycjqylgcq
http://www.mediafire.com/?44ycjqylgcr
ISO Dumpers:
http://www.iso-dumps.co.cc/

ISO Dumpers were fucking Mediafire links….

Video Demostration:
http://amsterdam1.plunder.com/x/162366/clip0003.avi
——————————————–

Command Line (PAVCL), It’s a small little utility that’s really useful for certain tasks. From the main window you can configure the scan, update the signature database, select what you want to scan and launch the scan. The results window shows both the progress output as well as the detection output, by either selcting Logs->All or Logs->Detections. The “View Message” option will open a resizeable and more readable window showing the output. It’s the replacer for Panda AV Command line CMD to GUI!!!

From the configuration window you can select all the options which are available through command-line switches. Also you can define where to write the report to.

Finally a short disclaimer. This freeware utility is not developed nor supported by Panda Security. Its author can be reached by email at pavclgui[at]gmail.com for suggestions and kudos.

Click on the following link to download the PAVCL GUI installer. The installer will create a directory on your desktop and copy both the PAVCL and PAVCL-GUI files. Simply run “pavcl gui.exe” from this directory.

The installer does not include a signature file (pav.sig) for size reasons. However within the PAVCL GUI utility you can enter your registered Panda CustomerID to download updated signatures on-demand.

Rogue Adware

Fiend — Fri, 19 Sep 2008 20:55:57 +0000

As you probably know, in the last months the amount of new fake / rogue antivirus applications has grown a lot. Right now I’m getting a lot of rougue anti spyware infections, and while playing with statistics I’ve found out that the Adware detected has grown from about a 22,03% in Q2 to an amazing 37,49%, and it is due to this annoying programs.

I don’t know if the current financial crisis has something to do with this, and the bad guys are realizing that banks are not quite healthy right now. Perhaps that’s why they are targetting the users in a more straight way, anyway what it’s true is that those attacks are growing exponentially.

This is one of the latest ones that has showed up in the lab:

Videos, Anyone?

Fiend — Thu, 11 Sep 2008 21:05:50 +0000

Keeping the texts short and malicious, the spam our filters caught this time use catchy headlines so absurd they could actually pique their readers’ curiosity.

Below are screenshots of spammed email messages:

The address bars and Subject fields carry sensational headlines whose details supposedly are in the attached video. The said attachment is a compressed file, which when opened contains not a video but a malicious executable file named Exclusive.Cut.avi.exe. The file uses the double extension technique commonly used by malware authors to trick users into executing a malware. Trend Micro detects the malicious file as TROJ_FAKEALER.FR.

Youtube fake site Generator

Fiend — Thu, 11 Sep 2008 01:17:00 +0000

Theese days I’ve been searching for new malware for the blacklist, I’ve been also helping AV companies to search some malware in award of some paypal accounts with $, and Wow I’m a little tired of searching and searching and… searching… I also gave McAffee some malware!, however I managed to get my own use of that software . I saw one of the most useful fake tools, “Youtube fake creator”, it creates you a youtube page real good designed! Here are some pictures, the hack tool is in spanish btw:

-MSBasicx

September MS Bulletins

Fiend — Wed, 10 Sep 2008 23:43:28 +0000

As every second Tuesday of the month, Microsoft has already published the September security bulletins.

Below you can see the description of the 4 bulletins rated as critical, as well as the links:

More info: Microsoft Security Bulletin MS08-054

More info: Microsoft Security Bulletin MS08-052

More info: Microsoft Security Bulletin MS08-053

More Info: Microsoft Security Bulletin MS08-055

Spam mail with attachments of more spam!!

Fiend — Sun, 07 Sep 2008 14:06:47 +0000

Apparently, invoice spam has recently gained popularity among spammers.

We’ve seen invoice spam runs related to UPS, FedEx, and of course, German-language Rechnung spam receipts. Now, this new invoice spam claims to come from Western Union, informing recipients that their credit card-issuing bank has halted the transaction by the demand of the “Federal Criminal Investigation Service”.

Below is a screenshot of the spam:

Recipients are instructed to contact Western Union and bring their ID card, Credit Card and invoice file. The sender (whose name is also bogus) then instructs the recipient that the invoice file is in the attached compressed file, and should be printed out.

Unfortunately, the compressed attachment does not contain an invoice, but rather a malicious executable file named MTCN08662112.EXE.

MTCN08662112.exe is detected by Trend Micro as TSPY_ZBOT.WC.

Spam emails related to this attack are now blocked by all Antiviruses.

Check what I’ve got!

Fiend — Sat, 06 Sep 2008 23:10:40 +0000

Today I was using Winsock controls and had to think in another function for the trojan… What about a Downloading File… It would download the updated file of the server by a ftp or http, the problem is that it is very hard to find a simple example of downloading file without internet window… Well here is 2 examples: One by VB6 Protocols and other functions and the Winsock: http://www.vbforums.com/showthread.php?s=&threadid=310235. If you downloaded both files and said OMG!! I understand =D. Well I’ve been reading and Googling a lot more so I found this: http://vbnet.mvps.org/code/internet/urldownloadtofilenocache.htm. Simple Protocol Url to File Download, you will understand most of code, the most code is for the GUI but the hidden downlod file code is there =D. Okay, Okay, Okay… I’m a little bad with you, heres the “Hidden” Code:

Variables & Externals

Private Declare Function URLDownloadToFile Lib "urlmon" _
   Alias "URLDownloadToFileA" _
  (ByVal pCaller As Long, _
   ByVal szURL As String, _
   ByVal szFileName As String, _
   ByVal dwReserved As Long, _
   ByVal lpfnCB As Long) As Long
Private Const ERROR_SUCCESS As Long = 0
Private Const BINDF_GETNEWESTVERSION As Long = &H10
Private Const INTERNET_FLAG_RELOAD As Long = &H80000000

Functions & Internals

Private Function DownloadFile(sSourceUrl As String, _
sLocalFile As String) As Boolean

DownloadFile = URLDownloadToFile(0&, _
                                    sSourceUrl, _
                                    sLocalFile, _
                                    BINDF_GETNEWESTVERSION, _
                                    0&) = ERROR_SUCCESS

End Function

That’s it. You’ve got the idea but Google again because this is not full info code.

-MSBasicx

A little Message…

Fiend — Sat, 06 Sep 2008 01:29:30 +0000

Well as most people heard, the new Google Chrome is on downloads, it is the BETA version and it’s time to do some fun searching for errors of it xD! Just like type “www.letscrashit.com“, the search it, then add some slashes to it, the most you can if it’s possible… then Bookmark it and go to the new tab window and click it… Oooops it seems Google crashed! Try it out, maybe the repaired ir because other AV Companies just like Mcafee tried it and off course they advised. Click Here to check the stats of Google Chrome… It’s going well for Google theese days =D! Whatever, getting out of the topic, let’s talk about the proyect of trojan, well it’s going not so well for me because I have a lot of homework and I’m getting fucked… Also I’m doing my own trojan, it’s going to be BETA so if errors come, just advise or chill for me to detect xD! Heres an image of me working on it, it’s not already done but it’s gonna be a hit on myself =D:

It’s called The Employee, I’ll tell you it’s functions from the left: Connect Client, Remote, Information, File Manager, Spying MSN, Interact with User (Send him a message in a MSN conversation, messagebox…), Keylogger, Edit Server. It’s maybe gonna make the server or maybe already made server and client modify it but it’s gonna work properly =). Oh! and I’m just gonna give you a vb6 Tutorial of how to interact with MSN:

First of all make an Standard EXE with a command button and a Textbox… Heres Code:

Private Sub command1_click()

msn.OptionsPages 0, MOPT_GENERAL_PAGE
Pause 0.5
SendKeys Text1.Text
SendKeys “{ENTER}”
End Sub

I created it myself, nottesting it now but it should work, if you try it, maybe works or not but I don’t have time to do it…

-MSBasicx