1 Topic by evild3ad

(2 replies, posted in Virus eXchange)

This trojan blocker prevents all software execution. The fake warning message pretends that your computer has been blocked because you brought german law. Victims are asked to pay a 250 euros fine to unlock the machine.

I named this variant 'BRD-Trojaner' because there's no BKA (Federal Criminal Police Office) or Bundespolizei (German Federal Police) logo used.

Screenshot: [Register or log in to view the URL]


Download:
[Register or log in to view the URL]
PW: evild3ad.com

Go to forum: Virus eXchange

2 Reply by evild3ad

(3 replies, posted in Virus eXchange)

I found an older memory sample (exemplar14):
[Register or log in to view the URL]

...and actual samples:
[Register or log in to view the URL]

Go to forum: Virus eXchange

3 Topic by evild3ad

(3 replies, posted in Virus eXchange)

I'm looking for an actual 'Sinowal' memory sample. Thx in advance!

Go to forum: Virus eXchange

4 Reply by evild3ad

(2 replies, posted in Virus eXchange)

My Mediafire Pro account was expired...try again!

Go to forum: Virus eXchange

5 Topic by evild3ad

(0 replies, posted in Virus eXchange)

#0zapftis
#Staatstrojaner
#Bundestrojaner
#German State Backdoor

[Register or log in to view the URL]
PW: evild3ad.com

Go to forum: Virus eXchange

6 Topic by evild3ad

(0 replies, posted in Tools and downloads)

evtlogs.py: plugin to parse Evt logs from XP/2K3
registryapi.py: plugin for routine registry actions
getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs)
timeliner.py: the timeline creating script that pulls everything together


[Register or log in to view the URL]

Go to forum: Tools and downloads

7 Topic by evild3ad

(2 replies, posted in Virus eXchange)

Here's a memory sample of SpyEye for analyzing in Volatility. Have fun!

[Register or log in to view the URL]
PW: infected

[228.5 MB]

Go to forum: Virus eXchange

8 Topic by evild3ad

(0 replies, posted in Virus eXchange)

'Patcher' is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The trojan contains a backdoor. It can be controlled remotely.

[Register or log in to view the URL]
PW: infected


In order to be executed on every system start, the trojan sets the following Registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit" = "%existingstring%,%path%\appconf32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Userinit" = "%path%\appconf32.exe"

Go to forum: Virus eXchange

9 Reply by evild3ad

(2 replies, posted in Virus eXchange)

I've found this version of the "Fake Federal German Police trojan" on an infected computer in April 2011. Check out!

[Register or log in to view the URL]
PW: infected

Go to forum: Virus eXchange