Government Security
Network Security Resources

Jump to content

Photo

Win 32 Death

virus tools firewall
  • Please log in to reply
11 replies to this topic

#1 xCaLL Me Joshx

xCaLL Me Joshx

    Private

  • Members
  • 3 posts

Posted 11 June 2007 - 08:27 PM

One day i was browsing my computer and i saw a file with no name it was just a folder so i clicked it and it just disappear than my screen went black. Came back and my desktop, tool bar, control + alt + delete was disabled. Than in big letters it said. You've Been infected with WIN 32 DEATH." Than it started to count down from 20 to 0 Than my computer started beeping instantly and my computer shut off. It disabled my AV And firewall. I Have no idea how that file got on my desktop i dont accept any files on msn. aim. yahoo or icq. Than i turned on my computer and it wouldnt turn back on. I even took my computer to get it fixed but they said there was nothing they could do about it.
So i told my friend on my new computer about the virus, and he found it and its labeled as a Undectable Virus that deletes your Win32 File and perminently Crashes your computer. Here it is. (DO NOT OPEN IT WHATEVER YOU DO.)

http://www.mediafire.com/?4newryj27dy

#2 TRIBAL-PHoENiX

TRIBAL-PHoENiX

    Specialist

  • Members
  • 102 posts

Posted 12 June 2007 - 09:08 AM

i dunno sounds too unrealistic gonna come home test it out

#3 cyph34r

cyph34r

    Specialist

  • Members
  • 141 posts

Posted 12 June 2007 - 09:30 AM

/me is also skeptical

That site keeps saying no dl servers are available, can you host it elsewhere?

#4 TRIBAL-PHoENiX

TRIBAL-PHoENiX

    Specialist

  • Members
  • 102 posts

Posted 12 June 2007 - 09:52 AM

come to think of it id give 5% that its true, judging by the part that pc wont turn on since windows prevents app from causing hardware damage on the other hand who knows maybe some device was overloaded causing short circut to board

#5 cyph34r

cyph34r

    Specialist

  • Members
  • 141 posts

Posted 12 June 2007 - 09:58 AM

I think its the virus they were talking about here:

hxxp://carcino.gen.nz/images/image.phpi/63ed627e/computer_bomb.jpg?cb=1115204527

#6 zorin-

zorin-

    Sergeant First Class

  • Sergeant Major
  • 541 posts

Posted 12 June 2007 - 10:04 AM

Sounds cool, well not cool to be infected but the destruction that you described, it's not as common these days, what does ruining a computer achieve? Nothing, if it was a Trojan then I would understand but ruining things for the sake of it is not good. For the ones that are skeptical, it could be true, it could be a copy of HDK (hard drive killer) with a simple VB application with a timer before executing the file. The beeping is simple to do, can do that with less than 10 lines of code in C. I'm not sure about it crashing the whole computer, replacing your hard drive should be enough, it seems like it was some kids messing around, oh and don't click folders in future thinking they are just folders, could easily use regedit or something to change the icon of the executable file. I cannot download the file from that page, is it possible to upload a copy here? Be sure to include a warning with it.

#7 Guest_RandomCode_*

Guest_RandomCode_*
  • Guests

Posted 14 June 2007 - 11:17 AM

Opening and testing that one :)

#8 Guest_RandomCode_*

Guest_RandomCode_*
  • Guests

Posted 14 June 2007 - 11:39 AM

Process 1: MD5=0b7765f68a2772865a52afed6b43c9d5
notification sum: 253, notifications relevant: 253, notifications discarded: 0
typManagement (1 notifications)
typCOM (1 notifications)
typDLLHandling (30 notifications)
typFileSystem (23 notifications)
typINIFile (2 notifications)
typMutex (6 notifications)
typRegistry (35 notifications)
typProcess (3 notifications)
typSystemInfo (31 notifications)
typWindow (119 notifications)
typWinSock (2 notifications)

Process 2: MD5=0b7765f68a2772865a52afed6b43c9d5
(Duplication of the original exe into: c:\windows\config\csrss.exe <-- trojan)
notification sum: 1137, notifications relevant: 1135, notifications discarded: 2
typManagement (1 notifications)
typCOM (2 notifications)
typDLLHandling (30 notifications)
typFileSystem (10 notifications)
typMutex (6 notifications)
typRegistry (32 notifications)
typSystemInfo (1018 notifications)
typWinSock (36 notifications)


Registry:

Set Value of Key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
to: subkey or value "Shell" data="Explorer.exe C:\WINDOWS\Config\csrss.exe"
-------------------------------------------------------------------------------------------
create process commandline="C:\WINDOWS\Config\csrss.exe" targetpid="828" showwindow="SW_SHOWMINIMIZED" apifunction="CreateProcessW"
-------------------------------------------------------------------------------------------



Threads:

Query:
ddosa.no-ip.info

Connections:
Binds to 75.62.135.72 using socket: 1296
IP: 75.62.135.72 Port: TCP_3071

Interesting:
[API] #2.1078: 01:50.422: PID:828,TID:3044,Addr:$76F80000("rasadhlp.dll"),BEFORE typFileSystem.actCreateFile("NtCreateFile") [srcfile: "\Device\RasAcd" dstfile: "" DesiredAccess: "FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY,FILE_WR
ITE_ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE" creationDistribution: "OPEN_ALWAYS" dwFlagsAndAttributes: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS"FileInformationClass: "FileBasicInformation"] => resContinue

Seems that a vb exe can make some damages :P

#9 Guest_RandomCode_*

Guest_RandomCode_*
  • Guests

Posted 14 June 2007 - 11:49 AM

I think its the virus they were talking about here:

hxxp://carcino.gen.nz/images/image.phpi/63ed627e/computer_bomb.jpg?cb=1115204527


haha at that title...Those are not hackers! Are Skiddies (Script kiddies).
Real hackers don't need vb exes nor use phishing to fool ppl arround so they can exec a crap vb6 exe like this one.

News are soooooo......unreal sometimes.

#10 BilDos

BilDos

    Private First Class

  • Members
  • 66 posts

Posted 06 July 2007 - 03:02 PM

It's: Trojan-Downloader.Win32.Agent.bl (kaspersky)

#11 radiotoday

radiotoday

    Private

  • Members
  • 1 posts

Posted 25 October 2011 - 07:37 AM

Please upload the link again.....................

#12 illwill

illwill

    Specialist

  • Sergeant Major
  • 570 posts

Posted 29 October 2011 - 07:38 AM

Please upload the link again.....................


the post is 4 yrs old ...





Also tagged with one or more of these keywords: virus, tools, firewall