[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MSN Messenger Password Decrypter for WinXP/2003
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Re: MSN Messenger Password Decrypter for WinXP/2003
- From: "frank boldewin" <frank.boldewin@xxxxxx>
- Date: Wed, 18 Jan 2006 00:08:13 +0100
the MSN-Password-Recovery.exe is a normal nullsoft installer.
after installing the software there's one pe-file called:
MSN Password Recovery.exe
which is upx packed. after unpacking with upx -d
i throwed it into IDA and had a short look for suspicious code snippets.
funny is this one:
.text:004021AF call ebp ; SendDlgItemMessageA
.text:004021B1 push offset OutputString ; "Greetings to
all reversers who reverse" ...
.text:004021B6 call OutputDebugStringA
.text:00401260 OutputString db 'Greetings to all reversers who reverse
this program - it',27h
.text:00401260 db 's easier to make another program rather
than brake ours!',0Ah
basically it enums the creds and if it finds one, the tool looks eg. at:
key ps:password and it's values
then decrypts with CryptUnprotectData() and shows you the password to the
cred if you're a registered customer. ;)
but i really can't find malicious stuff in there, nor phone home stuff.
with regards,
On 13 Jan 2006 00:51:37 -0000, kukukuku.com <kukukuku.com> wrote:
Doesn't work anymore in 7.5. This tool works though:
File: MSN-Password-Recovery.exe
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or
runtime packers were found, this is suspicious. Normally programs
aren't packed and don't force the sandbox into lengthy emulation. Do
realize no scanner issued any warning, the file can very well be
harmless. Caution is advised, however.) (Note: this file has been
scanned before. Therefore, this file's scan results will not be stored
in the database)
MD5 2784bee6f9bd768fb67dd5cb028345ad
Packers detected: UPX
The link on that site to the Skype recovery tool domain leads to a
unrelated ad for a website building software package