[Dshield] Guru Help Please.

R Shady RShady at stny.rr.com
Sun Aug 24 18:40:27 GMT 2003


What OS? Specifically what are you asking?  You want to continue
debugging befc?  Or do you want to annihilate it?  I can't help
you with the debugging aspect.

Chris Ream wrote:

> Hi All,
> 
> I'm not quite sure what to do with something I'm working on so I thought
> I would put it out to the group to see if you bright folks can help me. 
> 
> Using filemon I discovered that an application calling itself BEFC.EXE
> is running out of my startup folder. It seems to be a keystroke logger
> because it's writing temp files when I do things like send email, write
> to notepad etc...
> 
> I am proficient in assembly and wish to disassemble it and see exactly
> what it's doing however, it's packed with upx. I tried decompressing it
> with the latest version of upx but it gives me a checksum error and wont
> decompress the file. The weird thing is that it obviously decompresses
> itself when it runs. 
> 
> I am thinking that the virus writer intentionally modified the checksum
> so it would be harder to un-upx and disassemble. This thing is scary
> it's making calls to winsock. 
> 
> Has anyone dealt with this type of situation before? If so, help me out
> here.
> 
> Thanks 
> 
> Chris.
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 





More information about the list mailing list