[Dshield] Guru Help Please.

Chris Ream chrisr at stopthemcold.com
Sun Aug 24 18:10:50 GMT 2003


Hi All,

I'm not quite sure what to do with something I'm working on so I thought
I would put it out to the group to see if you bright folks can help me. 

Using filemon I discovered that an application calling itself BEFC.EXE
is running out of my startup folder. It seems to be a keystroke logger
because it's writing temp files when I do things like send email, write
to notepad etc...

I am proficient in assembly and wish to disassemble it and see exactly
what it's doing however, it's packed with upx. I tried decompressing it
with the latest version of upx but it gives me a checksum error and wont
decompress the file. The weird thing is that it obviously decompresses
itself when it runs. 

I am thinking that the virus writer intentionally modified the checksum
so it would be harder to un-upx and disassemble. This thing is scary
it's making calls to winsock. 

Has anyone dealt with this type of situation before? If so, help me out
here.

Thanks 

Chris.





More information about the list mailing list