[Bug 37365] spam/malware

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Oct 5 10:21:14 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=37365

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |focht at gmx.net
         Resolution|---                         |INVALID
            Summary|itune                       |spam/malware

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

invalid.

Wine's trace capability is also good for analysing malware .. kinda stupid code
though.

--- snip ---
...
0035:Call KERNEL32.CreateProcessA(00000000,00409b80
"C:\\users\\focht\\Temp\\baccabebbbha.exe /PID=10096 /SUBPID=0 /NETWORKID=1
/DISTID=19132 /CID=0 /PRODUCT_ID=13577
/SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=4 /D2=-1 /D3=-1
/D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=aOnlbm
/EXE_URL=`omnp4.+sc^mm^+^johdlg\\)Znmfd*cmh'"...,00000000,00000000,00000000,00000000,00000000,00000000,0042bfe8,0033fa74)
ret=00405297
...
0037:Call KERNEL32.__wine_kernel_init() ret=7bc5a089
0035:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=00405297
0035:Call KERNEL32.CloseHandle(00000068) ret=004052a4
0035:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004052a4
0035:Call KERNEL32.WaitForSingleObject(00000064,00000064) ret=00401e57 
...
0037:Call KERNEL32.CreateProcessW(00000000,004d78e8 L"wmic
/output:C:\\users\\focht\\Temp\\91412521814.aaa bios get
serialnumber",00000000,00000000,00000000,08000000,00000000,00000000,0033e954,0033e998)
ret=00477146
...
0039:Call KERNEL32.__wine_kernel_init() ret=7bc5a089
0037:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=00477146 
...
0039:Starting process L"C:\\windows\\system32\\wmic.exe" (entryproc=0x7edfc33c) 
...
Error: Command line not supported
...
0039:Call KERNEL32.ExitProcess(ffffffff) ret=7edfc3ca 
...
0037:Call KERNEL32.CreateProcessW(00000000,004d8a38 L"wmic
/output:C:\\users\\focht\\Temp\\91412521814.aaa bios get
version",00000000,00000000,00000000,08000000,00000000,00000000,0033e954,0033e998)
ret=00477146
...
003b:Call KERNEL32.__wine_kernel_init() ret=7bc5a089
0037:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=00477146
...
0037:Call winhttp.WinHttpCrackUrl(004d9648
L"http://direct.the-apps-track.com/Installer/Flow?pubid=10096&distid=19132&productid=13577&subpubid=0&campaignid=0&networkid=1&dfb=-1&os=5.1&ospv=-1&iev=8.0&ffv=&chromev=&macaddress=70:71:BC:F0:11:B7&netv=&d1=4&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=105-84-117-110-101-115&cookieeula=&cookiepriv"...,00000170,00000000,0033e2f4)
ret=00477b6c 
...
--- snip ---

Admin please delete the attachment, it's malware (trojan/backdoor).

... or do you want me to make this malware to work perfectly with Wine? :)

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list