<<< Date Index >>>     <<< Thread Index >>>

Re: MSN Messenger Password Decrypter for WinXP/2003



the MSN-Password-Recovery.exe is a normal nullsoft installer.

after installing the software there's one pe-file called:

MSN Password Recovery.exe

which is upx packed. after unpacking with upx -d

i throwed it into IDA and had a short look for suspicious code snippets.

funny is this one:

.text:004021AF                 call    ebp ; SendDlgItemMessageA
.text:004021B1 push offset OutputString ; "Greetings to all reversers who reverse" ...
.text:004021B6                 call    OutputDebugStringA
.text:00401260 OutputString db 'Greetings to all reversers who reverse this program - it',27h .text:00401260 db 's easier to make another program rather than brake ours!',0Ah


;)

basically it enums the creds and if it finds one, the tool looks eg. at: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\username@xxxxxxxxxx

key ps:password and it's values

then decrypts with CryptUnprotectData() and shows you the password to the cred if you're a registered customer. ;)

but i really can't find malicious stuff in there, nor phone home stuff.

with regards,

frank





On 13 Jan 2006 00:51:37 -0000, kukukuku.com <kukukuku.com> wrote:
Doesn't work anymore in 7.5. This tool works though:
http://www.msn-password-recovery.com

 File: MSN-Password-Recovery.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or
runtime packers were found, this is suspicious. Normally programs
aren't packed and don't force the sandbox into lengthy emulation. Do
realize no scanner issued any warning, the file can very well be
harmless. Caution is advised, however.) (Note: this file has been
scanned before. Therefore, this file's scan results will not be stored
in the database)
MD5 2784bee6f9bd768fb67dd5cb028345ad
Packers detected: UPX


The link on that site to the Skype recovery tool domain leads to a completely
unrelated ad for a website building software package



GIF image