Monday 31 October 2011

Win32/Dorkbot.gen!A "Xylitol is powerful"

I was surprised today when i've see these strings on a malware.

Strings come from the crypter used, a basic one.. and basic enought for mislead most of AV products (4/40) according to VirusTotal ~

The crypter just map in memory the decrypted PE, no extra stuff when the stub has finish to work it just close without killing the child process

get the dynamic adress where is stored the decrypted copy:

Launch NgrBot:


ngrBot selling:

The NgrBot sample was downloaded from

Happy halloween (:

Image ©2011 by Reit taken from Deviantart

No comments:

Post a Comment