myidisbb Posted July 30, 2010 Share Posted July 30, 2010 okay i was one that jump at the download. i saw the assassain creed face icon and thought it was one of the usually god posters. i had just gotten up getting ready for work. i did not notice the 7mb file size. i click on it and nothing. click admin for it then. i notice afterwards that UAC was turn off each time i had lcick on it. este was okay. i am scaning my computer with mbam at the moment. going to get a rootkit scanner just to be safe. has anyone figure out what was going on with that so called mother F!@#$ BS keygen file? please excuse the language. a bit upset to things and myself for not catching it before hand. Link to comment Share on other sites More sharing options...
sanjoa Posted July 30, 2010 Share Posted July 30, 2010 Me having the same problem as you all day. Link to comment Share on other sites More sharing options...
myidisbb Posted July 30, 2010 Author Share Posted July 30, 2010 Me having the same problem as you all day.i turn off the computer until i got off form work today. turn on. click to turn UAC on and restarted. sent the winrar and file each to virus online scanner. and used software este and sa and mbam. nothing came up. download the RootkitRevealer. it crashes when click on. so i download hitman pro. it found some stuff in the temp folder. going to restart and scan it again. oh using a 64 bit system vista. the worker bees for nsane have looked into the file and they believe its okay. "As per the tests performed by the staffs, the file posted wasn't a malware but the keygen was giving only known serials that are spread around the net." somewhere i read that it was requiring microsoft netframe 4 something. question is if the computer has it installed then what would happen? worked or do something nasty? im going to go with what the staff said that it just a file that didnt work. i got sucker into downloading it because i say the assassain creed avatar and assume it was one of the known good posters Link to comment Share on other sites More sharing options...
tonyblair Posted July 30, 2010 Share Posted July 30, 2010 This so called "keygen" is in fact a converter. It has included some data encrypted by a symmetrical algorithm (Microsoft standard API).Of course the MORE OBSCURE core program is also decrypted in memory and launched as a winPE. It is written with Visual Basic using Framework version 2.0.50727.The first task it achieves : Play with the system policy and more particularly the LUAAs the executable is in an intermediate language and the core program hidden, there is no possibility to an AV to find something suspect. So be careful mates with this. ;) Link to comment Share on other sites More sharing options...
sanjoa Posted July 30, 2010 Share Posted July 30, 2010 what's LUA? Link to comment Share on other sites More sharing options...
tonyblair Posted July 30, 2010 Share Posted July 30, 2010 what's LUA?LUA = logical unit applicationas you can see in the line number 01BE and 01E7 in the listing above it loads the value "0" with the instruction ldc.i4.0. (load integer 0)So the program disable the UAC. Link to comment Share on other sites More sharing options...
sanjoa Posted July 30, 2010 Share Posted July 30, 2010 OK. At my virtual XP installation the same problem happens. This is a virus Link to comment Share on other sites More sharing options...
tonyblair Posted July 30, 2010 Share Posted July 30, 2010 This "keygen" in his code try to connect silently to a remote service in the net. I stopped debugging it as it is dangerous for my machine. ;) Link to comment Share on other sites More sharing options...
sanjoa Posted July 30, 2010 Share Posted July 30, 2010 Shit. I did run it yesterday, and I have to delete it using Unlocker because I coudn't stop it. Link to comment Share on other sites More sharing options...
tonyblair Posted July 30, 2010 Share Posted July 30, 2010 I am not surprised that you cannot stop it. As you will see below the core program is loaded in memory and virtually protect in a virtual memory zone.Task manager can do nothing to stop it. : Link to comment Share on other sites More sharing options...
tonyblair Posted July 30, 2010 Share Posted July 30, 2010 Now here is the list of the functions used by it's external envelope (the core program is encrypted and hidden) as a virus:It is easy to understand the underlined functions that it looks for the computer signature, the identification of the user. It set up an internet link with a remote serverthe program is launched with RunPE in a virtually protected zone. Voila! Link to comment Share on other sites More sharing options...
sanjoa Posted July 30, 2010 Share Posted July 30, 2010 So on, this is a virus or malware Link to comment Share on other sites More sharing options...
myidisbb Posted July 31, 2010 Author Share Posted July 31, 2010 if you turn uac back on and reboot are you okay then? or should i consider this a rootkit? i try using the rootkit revealer on the front page and it crash Link to comment Share on other sites More sharing options...
LeetPirate Posted July 31, 2010 Share Posted July 31, 2010 w00t w00t! Go tonyblair! :rolleyes:That crappy fake release topic was obliterated, sorry we didn't deal with it earlier. :( Link to comment Share on other sites More sharing options...
Marik Posted July 31, 2010 Share Posted July 31, 2010 That crappy fake release topic was obliterated, sorry we didn't deal with it earlier. :(there was no way for us to even know what it did...unless you're some kind of genius or (dunno what you are Tony) cracker like Tony...or some IT student Link to comment Share on other sites More sharing options...
myidisbb Posted July 31, 2010 Author Share Posted July 31, 2010 w00t w00t! Go tonyblair! :rolleyes:That crappy fake release topic was obliterated, sorry we didn't deal with it earlier. :(not yours or the sites fault. i didnt catch the 2 posting only plus the new account. i looked at the avatar and rmemeber that being used by a known poster and went with it. plus didnt notice the 7mb size. early iin the morning. my sister in law husband who in airforce on computersnad network think form read the above messages that it might been trying to bot a computer. doesnt look to be around anymore. used sophos anti rootkit to scan my computer. didnt see anything but but lots of hidden temp internet files. i disk clean and ccleaner my computerwe count on the frontpage stuff to be safe. share coding of the other stuff always chancie Link to comment Share on other sites More sharing options...
neeraj Posted August 1, 2010 Share Posted August 1, 2010 That crappy fake release topic was obliterated, sorry we didn't deal with it earlier. :(there was no way for us to even know what it did...unless you're some kind of genius or (dunno what you are Tony) cracker like Tony...or some IT studentI agree with Marik...tony sure is a genius when it comes to software...... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.