Friday, April 17, 2009

conficker.e analysis (.exe component) - part 0

This post is intended to present an attempt at unpacking and analyze conficker.e. The md5 of the file analysis is reported from most sources (antivirus vendors lab and so on): 0x677daa8bf951ecce8eae7d7ee0301780

The first runtime screenshot shown a zone of the decompressed binary with some stuff related to uPNP devicesa also It's showsomething about SSDP (Simple Service Discovery Protocol). The background picture (with Irfanview logo) is a first shot with ollydbg oep zone and IDA smart graph view related to conficker.e(?) Microsoft service pack checker. For dumps it was used LordPE. Since conficker.e use also SSDP as propagation vector, I think this binary as downadup.e/conficker.e but I'm not sure at 100%.

Feedback are welcome


No comments:

Post a Comment