Bugtraq mailing list archives

Re: MSN Messenger Password Decrypter for WinXP/2003

From: "frank boldewin" <frank.boldewin () gmx de>
Date: Wed, 18 Jan 2006 00:08:13 +0100

the MSN-Password-Recovery.exe is a normal nullsoft installer.

after installing the software there's one pe-file called:

MSN Password Recovery.exe

which is upx packed. after unpacking with upx -d

i throwed it into IDA and had a short look for suspicious code snippets.

funny is this one:

.text:004021AF                 call    ebp ; SendDlgItemMessageA

.text:004021B1 push offset OutputString ; "Greetings toall reversers who reverse" ...

.text:004021B6                 call    OutputDebugStringA

.text:00401260 OutputString db 'Greetings to all reversers who reversethis program - it',27h.text:00401260 db 's easier to make another program ratherthan brake ours!',0Ah

;)

basically it enums the creds and if it finds one, the tool looks eg. at:HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\username () blabla com


key ps:password and it's values

then decrypts with CryptUnprotectData() and shows you the password to thecred if you're a registered customer. ;)


but i really can't find malicious stuff in there, nor phone home stuff.

with regards,

frank

On 13 Jan 2006 00:51:37 -0000, kukukuku.com <kukukuku.com> wrote:
Doesn't work anymore in 7.5. This tool works though:
http://www.msn-password-recovery.com

 File: MSN-Password-Recovery.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or
runtime packers were found, this is suspicious. Normally programs
aren't packed and don't force the sandbox into lengthy emulation. Do
realize no scanner issued any warning, the file can very well be
harmless. Caution is advised, however.) (Note: this file has been
scanned before. Therefore, this file's scan results will not be stored
in the database)
MD5 2784bee6f9bd768fb67dd5cb028345ad
Packers detected: UPX

The link on that site to the Skype recovery tool domain leads to acompletely
unrelated ad for a website building software package

Current thread:

Re: MSN Messenger Password Decrypter for WinXP/2003 kuku (Jan 15)
- Re: MSN Messenger Password Decrypter for WinXP/2003 James_gmail-ij (Jan 17)
- <Possible follow-ups>
- Re: MSN Messenger Password Decrypter for WinXP/2003 frank boldewin (Jan 18)
- Re: Re: MSN Messenger Password Decrypter for WinXP/2003 null (Jan 19)