Bugtraq mailing list archives
Re: MSN Messenger Password Decrypter for WinXP/2003
From: "frank boldewin" <frank.boldewin () gmx de>
Date: Wed, 18 Jan 2006 00:08:13 +0100
the MSN-Password-Recovery.exe is a normal nullsoft installer. after installing the software there's one pe-file called: MSN Password Recovery.exe which is upx packed. after unpacking with upx -d i throwed it into IDA and had a short look for suspicious code snippets. funny is this one: .text:004021AF call ebp ; SendDlgItemMessageA.text:004021B1 push offset OutputString ; "Greetings to all reversers who reverse" ...
.text:004021B6 call OutputDebugStringA.text:00401260 OutputString db 'Greetings to all reversers who reverse this program - it',27h .text:00401260 db 's easier to make another program rather than brake ours!',0Ah
;)basically it enums the creds and if it finds one, the tool looks eg. at: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\username () blabla com
key ps:password and it's valuesthen decrypts with CryptUnprotectData() and shows you the password to the cred if you're a registered customer. ;)
but i really can't find malicious stuff in there, nor phone home stuff. with regards, frank
On 13 Jan 2006 00:51:37 -0000, kukukuku.com <kukukuku.com> wrote: Doesn't work anymore in 7.5. This tool works though: http://www.msn-password-recovery.com File: MSN-Password-Recovery.exe Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 2784bee6f9bd768fb67dd5cb028345ad Packers detected: UPX
The link on that site to the Skype recovery tool domain leads to a completelyunrelated ad for a website building software package
Current thread:
- Re: MSN Messenger Password Decrypter for WinXP/2003 kuku (Jan 15)
- Re: MSN Messenger Password Decrypter for WinXP/2003 James_gmail-ij (Jan 17)
- <Possible follow-ups>
- Re: MSN Messenger Password Decrypter for WinXP/2003 frank boldewin (Jan 18)
- Re: Re: MSN Messenger Password Decrypter for WinXP/2003 null (Jan 19)