Possible Wis Viewer

shorty606

Golden Oldie
Golden Oldie
Apr 10, 2005
867
0
122
I found this today, it was a random file i downloaded from one of many chinese websites, only really had a chance to look at it now. It looks like a wis viewer, its cracked so you just have to type any username and reg-key when it starts. Although it comes up as a generic trojan, wondering if anyone could remove this?

Here is link anyway.

EDIT: Crashes when I go to open file :( Hope it works for someone!
EDIT2: Sorta open filesn now :D
 
Last edited:
lifco

lifco

Untrusted Member
Legendary
Golden Oldie
Loyal Member
Jul 6, 2004
3,400
66
195
UK/Italy
Il take a look, we will be lucky to find one but you never know

will post back

lif

Not looking very good
Code: 
Antivirus  	Version  	Last Update  	Result
a-squared	4.5.0.24	2009.08.17	Trojan-Dropper.Win32.Malf!IK
AhnLab-V3	5.0.0.2	2009.08.17	-
AntiVir	7.9.1.1	2009.08.17	TR/Spy.Gen
Antiy-AVL	2.0.3.7	2009.08.17	Trojan/Win32.Buzus.gen
Authentium	5.1.2.4	2009.08.17	W32/Dropper.gen8!Maximus
Avast	4.8.1335.0	2009.08.17	Win32:Delf-GIY
AVG	8.5.0.406	2009.08.17	Generic14.UNO
BitDefender	7.2	2009.08.17	Gen:Trojan.Heur.TGW@Iv4E5oe
CAT-QuickHeal	10.00	2009.08.17	-
ClamAV	0.94.1	2009.08.17	-
Comodo	2004	2009.08.17	-
DrWeb	5.0.0.12182	2009.08.17	Trojan.PWS.Multi.76
eSafe	7.0.17.0	2009.08.17	-
eTrust-Vet	31.6.6681	2009.08.17	-
F-Prot	4.4.4.56	2009.08.16	W32/Dropper.gen8!Maximus
F-Secure	8.0.14470.0	2009.08.17	-
Fortinet	3.120.0.0	2009.08.17	-
GData	19	2009.08.17	Gen:Trojan.Heur.TGW@Iv4E5oe
Ikarus	T3.1.1.68.0	2009.08.17	Trojan-Dropper.Win32.Malf
Jiangmin	11.0.800	2009.08.17	-
K7AntiVirus	7.10.820	2009.08.17	-
Kaspersky	7.0.0.125	2009.08.17	-
McAfee	5712	2009.08.17	-
McAfee+Artemis	5712	2009.08.17	Suspect-29!00620FCED30B
McAfee-GW-Edition	6.8.5	2009.08.17	Heuristic.BehavesLike.Win32.Backdoor.J
Microsoft	1.4903	2009.08.17	VirTool:Win32/DelfInject.gen!X
NOD32	4343	2009.08.17	probably a variant of Win32/Genetik
Norman	6.01.09	2009.08.17	-
nProtect	2009.1.8.0	2009.08.17	-
Panda	10.0.0.14	2009.08.17	Trj/Buzus.AH
PCTools	4.4.2.0	2009.08.17	-
Prevx	3.0	2009.08.17	-
Rising	21.43.04.00	2009.08.17	-
Sophos	4.44.0	2009.08.17	Mal/Behav-009
Sunbelt	3.2.1858.2	2009.08.17	-
Symantec	1.4.4.12	2009.08.17	-
TheHacker	6.3.4.3.383	2009.08.13	-
TrendMicro	8.950.0.1094	2009.08.17	-
VBA32	3.12.10.9	2009.08.17	SScope.Trojan.Buzus.fo
ViRobot	2009.8.17.1887	2009.08.17	-
VirusBuster	4.6.5.0	2009.08.17	Backdoor.Spynet.Gen
Additional information
File size: 740352 bytes
MD5...: 00620fced30b7d4ba6989d43362725bd
SHA1..: 9176aa0ec83b2137c5ece95e71c7f203180d01e4
SHA256: 9b779e8c0d598c977f8bdeed7d6cea2a8850546e7e42b849c8a59d8367912c79
ssdeep: 12288:8PVRjDgPLRv7g2SVx/ZG6Gqpwp6gKX3lH9KZuqrR06sjiQbGwb2wVGbkBD
8MHU09:8PV1gPLRv7g5PZpHzgKX3laZs2gTObkv
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7af8
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x70ec 0x7200 6.48 23898402342435a1f864c75625302971
DATA 0x9000 0xe0 0x200 2.39 3a307bb353906a0d07c309007e4cf9e1
BSS 0xa000 0xd05 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xb000 0x890 0xa00 4.14 dbf917a773d721888d95cc9fa6659304
.tls 0xc000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xd000 0x18 0x200 0.20 c38125bc58c674092ed953ae77fb788a
.reloc 0xe000 0x774 0x800 6.49 4c4b23c414ebc13b9a2216026ad9c33a
.rsrc 0xf000 0xabe94 0xac000 7.95 e9ff2eec919b5eca37f78406d22ee4fc

( 9 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegDeleteValueA, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges
> kernel32.dll: lstrcmpiA, WriteProcessMemory, WaitForSingleObject, VirtualProtect, VirtualFree, VirtualAllocEx, VirtualAlloc, TerminateProcess, Sleep, SizeofResource, ReadProcessMemory, OpenProcess, LockResource, LoadResource, LoadLibraryA, GetVersionExA, GetProcAddress, GetModuleHandleA, GetLastError, GetExitCodeThread, GetCurrentProcessId, GetCurrentProcess, FreeResource, FindResourceA, ExitProcess, CreateRemoteThread, CreateProcessA, CreateMutexA, CloseHandle
> user32.dll: GetWindowThreadProcessId, FindWindowA, CharLowerA, CharUpperA
> advapi32.dll: StartServiceA, QueryServiceStatus, OpenServiceA, OpenSCManagerA, DeleteService, ControlService, CloseServiceHandle

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Avast): UPX
 
Last edited:

shorty606

Golden Oldie
Golden Oldie
Apr 10, 2005
867
0
122
Haha, best delete then :P. Luckily I ran it in a sandbox to be sure.
 

Gadget

LOMCN Developer
Developer
Aug 3, 2006
195
0
102
Bon said:


nps
Click to expand...

LOL! I think he meant what's a sandbox in the context of running the program.

Basically, download MS virtual PC and run any prog within that - it's not a perfect sandbox but if you disable network support before you test there's little chance of any virus / trojan infecting your host system. If your Virtual PC becomes infected / inoperable just delete it.
 
You must log in or register to reply here.
Top Bottom