Wednesday, November 07, 2007

ProRat Trojan: A lame try to hack PCs on the fly!

Today while I was receiving all these lame tries (from several different forums)to hack people *puters using several well known malwares ,I decided to look inside what these files would carry.
First the file was packed by "Win32 Cabinet Self-Extractor" a simple tool in the hands of all people.
After using "resource hacker" I found the RC_DATA resource which contains the executable file that to be extracted. I saved it on the hdd.
Next I launched OllyDbg and from the first glance seems that this file has been packed!
Using RDG-Packer Detector I found that it has been packed by FSG v2.0 Packer. Googling this FSG for unpacker I found several ways to Unpack that file Manually and Automatically I chose the ready automatic made unpacker.
While all this ,I was uploading the sample to virustotal.com ,since my internet was hell of slow! I continued my research, Launching IDA (Interactive Disassembler) I found few strings on that file " [* ProRat - Trojan Horse - Coded by PRO Group - Made in Turk " -- Funny a well known trojan! used by a lame people..how astonishing.
During that the VirusTotal.com has gave me his result which as I figured out from the sad trip .
Funny thing that made me wonder the file was 451kb Packed with that FSG packer after unpacking the file is more than 2.0 mb and even one unpacker gave me 7.00mb file!!!
And as I noticed and as IDA told me the file import table was damaged,well this happens when dumping a file from memory,seems those unpacker did as (launching the file and debugging to get the file unpacked in mem-not sure till now-) ,so the file get large size from ImageSize(PE header)--The PE file size to be aligned in Virtual Memory-- and also get its import table corrupted, as it is been already mapped by win32 process loader.

For further reading :ProRat virus Definition from Symantec

Labels: ,

Smilar pages