Ataraxia
03-25-2008, 08:27 PM
Hey guys, I just spent the last 2 hours trying to make this trojan undetectable by a few AV's. I got it to be undetected, but the program no longer runs (figures eh) The problem is part of the hex I edited.
[4D5A *000 0*00 0000 0400 0000 FFFF 0000]
Here is what happens if I leave the hex as it is...
A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BackDoor.Bandok.B
BitDefender
Found Backdoor.Bandok.AV
ClamAV
Found Trojan.Bandok-7
CPsecure
Found BackDoor.W*2.Bandok.av
Dr.Web
Found BackDoor.Iam
F-Prot Antivirus
Found W*2/Warezov.gen*!W*2DL
F-Secure Anti-Virus
Found Backdoor.Win*2.Bandok.av
Fortinet
Found W*2/Bandok.AW!tr.bdr
Ikarus
Found Backdoor.Win*2.Bandok.av
Kaspersky Anti-Virus
Found Backdoor.Win*2.Bandok.av
NOD*2
Found probably a variant of Win*2/Bandok (probable variant)
Norman Virus Control
Found W*2/Bandok.gen*
Panda Antivirus
Found nothing
Rising Antivirus
Found Backdoor.Agent.hfl
Sophos Antivirus
Found Mal/Bandook-A
VirusBuster
Found Backdoor.Bandok.BE
VBA*2
Found BackDoor.Iam
and obviously when I removed the bolded part it becomes undetected by AV's
If you'd like to give a shot at it I'd be grateful. I don't plan on using this, I put a fake server just doing it for learning purposes.
Here is a link to the file as I currently have it in the 'undetected' state. Change the first line to the above to have it detected but runnable.
WARNING: The following download IS a trojan, although it doesn't work or install the server it is still a trojan. I'm giving you fair warning although I'd appreciate it if you helped... If you run it it'll install to
Windows/System*2/ali.exe
Trojan (http://dodownload.filefront.com/*88**02//6d0856e622a*cd5c8*64d8027*c774*6afa2e8*b2bb*770*4bbc47c7*67*0*de07548d*0**6*4*4e)
[4D5A *000 0*00 0000 0400 0000 FFFF 0000]
Here is what happens if I leave the hex as it is...
A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BackDoor.Bandok.B
BitDefender
Found Backdoor.Bandok.AV
ClamAV
Found Trojan.Bandok-7
CPsecure
Found BackDoor.W*2.Bandok.av
Dr.Web
Found BackDoor.Iam
F-Prot Antivirus
Found W*2/Warezov.gen*!W*2DL
F-Secure Anti-Virus
Found Backdoor.Win*2.Bandok.av
Fortinet
Found W*2/Bandok.AW!tr.bdr
Ikarus
Found Backdoor.Win*2.Bandok.av
Kaspersky Anti-Virus
Found Backdoor.Win*2.Bandok.av
NOD*2
Found probably a variant of Win*2/Bandok (probable variant)
Norman Virus Control
Found W*2/Bandok.gen*
Panda Antivirus
Found nothing
Rising Antivirus
Found Backdoor.Agent.hfl
Sophos Antivirus
Found Mal/Bandook-A
VirusBuster
Found Backdoor.Bandok.BE
VBA*2
Found BackDoor.Iam
and obviously when I removed the bolded part it becomes undetected by AV's
If you'd like to give a shot at it I'd be grateful. I don't plan on using this, I put a fake server just doing it for learning purposes.
Here is a link to the file as I currently have it in the 'undetected' state. Change the first line to the above to have it detected but runnable.
WARNING: The following download IS a trojan, although it doesn't work or install the server it is still a trojan. I'm giving you fair warning although I'd appreciate it if you helped... If you run it it'll install to
Windows/System*2/ali.exe
Trojan (http://dodownload.filefront.com/*88**02//6d0856e622a*cd5c8*64d8027*c774*6afa2e8*b2bb*770*4bbc47c7*67*0*de07548d*0**6*4*4e)