FUD Malware!!

[SYP Battlecommander]

I had some years ago a very good friend, who was into coding programms. First we made useful tools together. Then we had one year no contact to each other. Now I've asked some friends of me about him, they said they stopped their relationship and their contact to him because he started to code malware and he doesn't want to stop this. I know his email and I want report you about his FUD malware. One of his malware I have in attachement. Because it is new, no scanner can analyze it as malware, please scan this file deeper!

I knew his email but I don't know who I shall report it, the police?? ^^

 

ATTENTION: I RECOMMEND YOU NOT TO DOWNLOAD OR TO RUN THIS FILE, BECAUSE THIS IS MALWARE AND CAN CAUSE SERIOUS PROBLEMS TO YOUR COMPUTER, ALSO DON'T VISIT THE WEBSITE, I RECOMMEND YOU TO BLOCK THE WEBSITE USING YOUR HOST FILE!!

 

I have analyzed his malware a bit further and found out that is a Stealer ... moreover the program loads malware from his FTP server:

ftp://ftp.w4rknight.kilu.de

Network.zip

[zoro]

VirusTotal Report

 

The Network.zip file report from VirusTotal:

http://www.virustotal.com/analisis/de56dea5b5912245c31c75969be1f5c46232293d6344a1a47c75d8ba06403478-1248118764

[SYP Battlecommander]

The Network.zip file report from VirusTotal:

http://www.virustotal.com/analisis/d...478-1248118764

 

It is new malware, no scanner can actually identify the file as malware, because it's unknown malware (FUD Malware).

[enoskype]

Hosts file

 

Another one to be added to Hosts file then. :-P

 

127.0.0.1 ftp.w4rknight.kilu.de

 

Cheers.

[Tesk]

It is a steal stealer:

00004434h: 4B 3A 5C 53 48 43 2D 54 6F 6F 6C 73 20 57 4E 20 ; K:\SHC-Tools WN

00004444h: 32 30 30 39 5C 53 74 65 61 6D 20 53 74 65 61 6C ; 2009\Steam Steal

00004454h: 65 72 5C 53 74 65 61 6D 20 53 74 65 61 6C 65 72 ; er\Steam Stealer

00004464h: 20 56 42 5C 4E 65 74 77 6F 72 6B 5C 4E 65 74 77 ; VB\Network\Netw

00004474h: 6F 72 6B 31 5C 6F 62 6A 5C 44 65 62 75 67 5C 4E ; ork1\obj\Debug\N

00004484h: 65 74 77 6F 72 6B 31 2E 70 64 62 00 ; etwork1.pdb.

 

Who is SHC? Maybe a Google search should be done ;)

[Tesk]

And the full password for his server is:

Username: w4rknight@1

Password: lolman12

 

Just if anyone needs to now. But the server is empty, looks like we were out to late.

[SYP Battlecommander]

I have reported yesterday the file also to Avira Labs.

Here the result:

 

http://analysis.avira.com/samples/details.php?uniqueid=KbYUGTzJMvvIdbC9VJWvUCsp3SVYRjLQ&incidentid=342302

 

its in German, they analyzed the file and added it to their database as "TR/Agent.dic".

 

Thanks Tesk for showing your analyze.

 

But the server is empty, looks like we were out to late.

 

I think he wanted to delete his tracks as far he knew I got one of his malware programs and deleted every file in his server. I heard this is one of his old stealers and he has better one's on his computer, if I get the new one's I'll report them too.

 

// Update: I know why the server is empty. I told he Kilu people yesterday to delete his kilu account as far as possible and today I got the message they have done so, but yesterday morning there were files on his webspace.

[Tesk]

Allright, good that they have deleted his account then, I wrote to another guys which also closes these German dump sites if he was able to close it, but he havn't responded yet.

[SYP Battlecommander]

What German websites you wanna to close?

 

I've nearly passed me when I searched in Google for FUD Malware ... I found this forum: "http://www.hackforums.net/" .... sry but ***! They are teaching people to hack and it seems to be legal!!

[Tesk]

That is not the only one, I can name alot of these where people distributes keyloggers, Backdoors and so from. I just can't go through them all everyday.