What does this virus actually do?

I've had a small look at it. First at all, what you are "analyzing" is the INSTALLER itself. It's a VB6 Installer. So you won't see any "malicious" action there. HOWEVER. This Setup contains 2 (!) files besides the main installer executable. One of them ( at the end of the file; it's the UPX packed file ) *IS* malicious.

I didn't testrun it here, because you can just easy strip the files by searching for "MZ" (that's where the executable starts) copy that part into a new file and rince and repeat for the 2nd executable out of this just created new file. In this way you don't have to start the installer and risk to get infected.

I attached a small part of the 2nd file (the malicious one) as screenshot from the hexeditor and i think everyone without any knownledge about malware will see that there's something wrong with this file. It's a typical AGENT with TCP/IP UDP Port Access. ( Port 65535 ) That's by the way the last valid port number on a system.

 

Thank you for looking at it. I re-infected my system and looked for any activity on port 65535 using my sniffer. I found none. I found no indication of any unusual networking at all. I re-started my system after the infection and found no indication that mspeupx.exe was even making any attempt to start. ProcessGuard didn't detect it starting. My antivirus didn't catch it.

I have to say I'm totally confounded by this thing. Either it's doing nothing, I'm an idiot, or it's super stealthy. Take your pick.

And I may have jumped the gun on that virus in the link. It seems they did something to it (added 4 KB to the size of the original) that rendered it incapable of running. I tried to run the EXE and it just gave me an error message. My antivirus still detected it, but it doesn't do anything. So, should I repost the link?

 

There is no question if the upx packed file is malware or not. You can just believe me that when i tell you that. Alone the disassembler screenshot attached here makes it malware (Because it tries to exclude itself without user permission from Firewall access)

 

How do you know all this stuff. It really is amazing how smart or gifted some are in this field. I am awe IC.

 

That is simple and trivial crap. Really easy

 

@trjam

That is why under his nickname there a little tag that says "AV Expert", and the rest of us mortals are just "posters"

But I love the opportunity we have to learn here at wilders!

 

I hope this doesn't sound like I'm being a smartass, because I'm not trying to be. I know it's malware, or at least that was the intention. I already called it a virus. I'm not looking for its classification. I'm looking for a step-by-step plain English summary of how it operates. Why do I see no network activity? Can it keylog?

The reason I'm asking these questions is because it's been on my system for a while, so I want to know what kind of damage it's capable of. I realize that most people don't ask these types of questions. But this situation is different because there's no description of what it does online, it's been on my system for a long time, I'm just that type of person, and I'm trying to learn.

Just because a virus tries to bypass the firewall in the registry doesn't mean it has any networking capabilities (not that I can detect anyway). There may be some flaw in it.

So, I hope I'm being clear in what I'm asking. There never was any question of it being malware. The question is what are its capabilities.

If anyone wants the virus, let me know. I'll PM the information to you. I have it in a rar file (with password) in a throwaway e-mail account. Only those with some experience with this stuff please. It'll expire and be deleted in a few weeks (probably).

 

I ran the dropper program. It appears that the two .exe files it creates are run just once, and then never run again, unless you run the dropper program again. I found no evidence of any auto-start capabilities, nor modification of existing executables. I too could not find any evidence that any of these three .exe files actually communicated any information to the outside world, although it appeared there was intent to in the code. ThreatFire quarantined the 3 .exes, due to the fact that two of them were put into the system directory, and also that one of them read "protected information". Some malware scanners name the program pwstealer (password stealer) or similar. Note that the behavior I described is what happened on my system; it's possible that the programs could behave differently under other circumstances.

I plan to get into assembly language again in the next 3 to 6 months, and could thus tell you more about the program's capabilities then. Perhaps somebody else could provide more details in the meantime.