Posts by debojyotip (Page 1) - VX Heavens forum

1 Reply by debojyotip Yesterday 20:35:56

Re: New variant of BKA trojan (FakePoliceAlert/Ransomware) (2 replies, posted in Virus eXchange)

Die Schatzjäger wrote:

Very much thanks for the binary !
The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?
But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.
Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.
I think it's all clear on the attached screenshot.
The second File is Procmon Log.
I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]
Thomas

Nice Share Friends...

Go to forum: Virus eXchange Go to topic: New variant of BKA trojan (FakePoliceAlert/Ransomware) Go to post 1

2 Reply by debojyotip Yesterday 20:14:26

Re: Virus Collection 2011 (Announcement) updated 2011-11-30 (84 replies, posted in vxheavens.com (aka vx.netlux.org))

orly149 wrote:

I have a question (searched before in the forum an answer but I haven't found it). This collection has got all the virus collected in the forum + the vx.netlus.org or "only" the virus on vx.netlux.org (primary site)?
Thanks.

Well I guess...All...

Go to forum: vxheavens.com (aka vx.netlux.org) Go to topic: Virus Collection 2011 (Announcement) updated 2011-11-30 Go to post 2

3 Reply by debojyotip Yesterday 20:02:04

Re: Virus Collection 2011 (Announcement) updated 2011-11-30 (84 replies, posted in vxheavens.com (aka vx.netlux.org))

qqq wrote:

it would be nice if kept the original names or ext of files
For example -> Trojan.Win32.KillWin.tdj_Sys32.dll

Very well said...Quite reasonable...

Go to forum: vxheavens.com (aka vx.netlux.org) Go to topic: Virus Collection 2011 (Announcement) updated 2011-11-30 Go to post 3

4 Reply by debojyotip Yesterday 19:59:24

Re: About Mariposa and ButterFly Bot (9 replies, posted in Virus talks)

kaspian.orion wrote:

hey NExTliFE...,
Thanks for the reply...
#1. I like to study it. I want to learn from the best.
#2. I'm not a cop ( even I'm not usa guy.. I'm from Sri Lanka )
#3. I prefer any client or server. ( Server is most likely).