ok this is nicked from !@#$%^&* gaming and it works tested it. but use it at your own risk. It seems to be leaked from the underground and some ppl are a bit pissed it has got out.
http://img181.imageshack.us/img181/2820/virwm6.jpg
ok here is things321 post about it
okay over the course of roughly 1500 packets sent, all were sent to the ip of 202.71.108.163 through port 15001 or sent back to my computer. If you do the same thing with the real KO client, it will do the same thing. Realize that the program does not actually start until after you put in your password. No abnormal connections appear in netstat. API functions that are called when the game starts.
loadlibexw
heapalloc
heapfree
getcurrentthreadid
getclientrect
getforegroundwindow
heapfreee
localfree
readfile
localalloc
heapalloc
during the game
heapfree
local free
those aren't all of them since after you start the api moniter, hackshield shuts the game down. Those two were taken when the game was starting, and when it was looting. Those are roughly the api functions necessary for an autoloot anyways. It allocates a certain portion of the memory, and when the program goes over that code it will call the functions it uses to loot or something like that.
the .dll was encrypted so i couldn't get much out of that. The parts that were readable seemed to contain error messages like memory leaks. It did contain some functions which i assume it calls. The client was packed with Microsoft Visual C++ 6.0.
Yes Avast did find Win32:Crypto. The virus is known for taking over the kernel32.dll. However if you view the kernel32.dll it will supposedly has many strings such as Win32.Crypto, ©oded by Prizzy/29A Greetz to Darkman, Benny and GriYo Kiss Of Death. I did not find any of them.
Realize that the files are encrypted. You're an idiot if you don't want people to figure out your source code and you don't encrypt it. The virus scans could be getting a false posative and thinking its the crypto virus. Also the virus is supposed to encrypt the .dll that have been run. I've tried and my programs are still running.
Also creates a file wininit.ini that tells windows to use the infected kernel32.dll file.
The search engine did find such a file. It was found in C:\Windows and constains
[RENAME]
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp\uninstall.exe
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp\uninstall.ini
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1\uninstall.exe
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1\uninstall.ini
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1
which eventualy leads to the uninstall file and .ini of mozilla firefox?
don't exactly think that this file really tells windows to use the infected .dll since
neither file has been modified since 9/5/06
It will also create a key in your registry
SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A.
I just searched my registry and its not finding anything
View in .exe and the .dll in asm and I haven't seen anything supisious in it, but i would like to have someone that is more expirenced in asm to check that out.
Logically:
Well the autoloot does work. Usually when someone tries to include a trojan, they don't actually make the product work. This really doesn't prove or disprove anything, but just something to note.
Very small amount of posts, unfortunately this is a sterotype, but it is a bit strange that he releases an autoloot in the first couple of posts. Maybe its to impress people, maybe its because he preivously always viewed as a guest. Maybe its a member that doesn't want to use their real account because its possibly a trojan.
It has been said by another person that the file was previously created and this is just a released version. I don't know if that was meant to backup the fact that it doesn't have a virus or something, but its seems strange that a person joins 4 hours after its released. Things like this have been done before, so if a mod can do a quick ip check that would be great. I'm sorry that I'm pointing fingers at people but it has been done before by other people who have released viruses here so. If its not, I'm sorry for accusing you.
Just ran a virus scanners/spyware scanners over my computer, they found nothing
The fact that only one virus scanner caught it believes me to lead that its a false positive. If there were more, i might be worried.