the MSN-Password-Recovery.exe is a normal nullsoft installer.
after installing the software there's one pe-file called: MSN Password Recovery.exe which is upx packed. after unpacking with upx -d i throwed it into IDA and had a short look for suspicious code snippets. funny is this one: .text:004021AF call ebp ; SendDlgItemMessageA.text:004021B1 push offset OutputString ; "Greetings to all reversers who reverse" ...
.text:004021B6 call OutputDebugStringA.text:00401260 OutputString db 'Greetings to all reversers who reverse this program - it',27h .text:00401260 db 's easier to make another program rather than brake ours!',0Ah
;)basically it enums the creds and if it finds one, the tool looks eg. at: [EMAIL PROTECTED]
key ps:password and it's valuesthen decrypts with CryptUnprotectData() and shows you the password to the cred if you're a registered customer. ;)
but i really can't find malicious stuff in there, nor phone home stuff. with regards, frank
On 13 Jan 2006 00:51:37 -0000, kukukuku.com <kukukuku.com> wrote: Doesn't work anymore in 7.5. This tool works though: http://www.msn-password-recovery.com File: MSN-Password-Recovery.exe Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 2784bee6f9bd768fb67dd5cb028345ad Packers detected: UPX
The link on that site to the Skype recovery tool domain leads to a completelyunrelated ad for a website building software package
at.gif
Description: GIF image
