.:: W32/Threat-HLLIN-Slipper-based!Maximus Reversing ::. Author: Evilcry WebSite: http://evilcodecave@gmail.com / http://evilcry.altervista.org Name: W32/Threat-HLLIN-Slipper-based!Maximus MD5: b230f7b664f2fcd32137426baa735e56 .:: The Essay ::. This is a fast analysis of the new variant of HLLIN-Slipper, called Maximus-Based. Executable is packed with NSPack 2.9 a very common compressor used in Malicious Code, it's also very easy to unpack, indeed EP starts with a Pushf and the decoding proc ends with a jmp OEP. After unpacking it, there are a list of intersing strings: .nsp0:00405138 0000003F C http://www.XXXXX.com/mrpg/UploadFiles/200702/2007031010122.exe .nsp0:0040517C 0000003F C http://www.XXXX.com/mrpg/UploadFiles/200702/2007031310122.exe .nsp0:004051C0 00000036 C http://www.XXXXX.com/Article/autoUploadFiles/pack.exe .nsp0:00405204 00000038 C http://www.XXXXX.com/Article/autoUploadFiles/packen.exe At the moment only pack.exe is available other links seems to be down. Pack.exe is Win32/NSAnti OR a generic W32/PWStealer1! .:: The Analysis ::. GetKeyboardType searches for type 7 (japanese type) and next retrives informations about the system in which is running. Creates a Window by calling CreateWindowEx, and next gets its name: 00402772 0 PUSH 0 ; |hModule = NULL 00402774 CALL GetModuleFileNameA next 00406BA5 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; EDX = "svchost.exe" 00406BA8 . 58 POP EAX ; "Mw_Name.exe" 00406BA9 . E8 26D0FFFF CALL WORKIN~1.00403BD4 ;Cmp EAX,EDX 00406BAE . 0F84 DD020000 JE WORKIN~1.00406E91 00406BB7 . 8B15 0C814000 MOV EDX,DWORD PTR DS:[40810C] ; WORKIN~1.004080CC 00406BBD . 8B12 MOV EDX,DWORD PTR DS:[EDX] ; EDX = "Server1.exe" 00406BBF . E8 7CCEFFFF CALL WORKIN~1.00403A40