To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- PinkFreud,
I definitely see the need for a good repair utility in the community. I come across quite a few munged samples every month. Let me know if there is anything I can do to help (samples, etc). Robert Robert Danford SAT Senior Engineer StillSecure PinkFreud wrote: >To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >---------- >I've been attempting to write a UPX repair utility to repair some of >the more common UPX munges I've come across, including renamed sections >and replaced UPX! header. If you'd like, I can take a look at the >executable, though if it's a checksum error, it may require more work >(Gadi mentioned tracing to locate the entry point - it may require >that). > > >On Wed, Mar 15, 2006 at 06:41:57PM +0000, Tron babbled thus: > > >>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >>---------- >>I have a file, rp5.exe, snared by my running instance of nepenthes, >>which is quite obviously compressed via UPX... >> >>upx -l rp5.exe >> Ultimate Packer for eXecutables >> Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 >>UPX 1.94 beta Markus Oberhumer, Laszlo Molnar & John Reiser Mar 11th >>2006 >> >> File size Ratio Format Name >> -------------------- ------ ----------- ----------- >> 152064 -> 61952 40.74% win32/pe rp5.exe >> >>... but which I can't decompress... >> >>upx: rp5.exe: Exception: checksum error. >> >>Which is obviously why Norman sandbox stated, for this particular binary.. >> >>nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by >>sandbox (Signature: NO_VIRUS). >> >>Presumably, this means that whoever compressed this binary used an >>altered version of upx? >> >>See Norman Sandbox reference 20060315-665 for the full (and unhelpful) >>report. >> >>Regards. >> >> > > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
