[Warning] Zzuk possibly spreading malware

[mrmr]

This is "Pirox has a keylogger!111" all over again. Feels like I'm reliving 2008.

It's blizzlike tho...

[Jackyy]

Wont even waste a single minute explaining anything to you. Shove the half knowledge of you and your "experts" up your [removed] )))

-Please be civil Zzuk. You're free to talk here, but no reason to be rude.
-Witcher

unfortunatelly i have to agree with zzuk, this proofes nothing.

[Vabaduce]

Sorry, but I would like to know how did you come up to the conclusion this executable fiddle with:
"Autostart"

Look at the registry values that are being changed in the Anubis report, malwr confirms the autostart as well. These are no false positives. Also, there's still no explanation for the executable that is being dropped in the temp directory.

Also, your "experts" may be aware of:
http://www.vcskicks.com/obfuscator.php
http://blogs.msdn.com/b/clrsecurity/arc ... 22440.aspx

Yes they are and use it frequently, while I'm not too familiar with it as I stated in my previous post.

Also, from malwr site, it's clear that this tool doesn't contact any "domain".
From this site, also appears that the only "infection" found is about obfuscation.
Obfuscation is a common practice among coders writing C# managed code, aka it might well be a false-positive.

Just because a program isn't immediately connecting to the internet doesn't automatically mean it's not malware. I don't even know if malwr checks for listening ports or connections only.
The obfuscation detection itself means nothing, I agree. But I hope you know how malwr and Anubis analyze the files and how there's no possibilty of a false positive from crypting in that procedere.

So, please, now that you have started a thread with such accusations, I would like to see a solid "analysis".
Seems like you just misinterpreted the virus-website reports.

I would also like to suggest to everyone:
http://www.sandboxie.com/
Run your things inside one of these...

I could try to find some time to analyze the file manually in a VM, but why bother. People just gonna use the false positive strawman argument and my knowledge isn't sufficient to reveal anything more than the VS reports already tell us, which in my eyes show clearly that it's doing something it isn't supposed to. And as you can see, it's impossible to discuss the matter or get a proper explanation for these "false accusations". Shitposting and insulting leaves me no other choice but to assume that people are just defensive about their lack of knowledge on this subject. As a sign of good will, I changed the thread title to a more objectively version of the discussion.

[Jackyy]

Greetings Community

You probably heard of the name Zzuk or Corthezz lately and his theory video about fake players on Nostalrius.
.

sorry but in this case I have to speak up in zzuk's defense. Even I do not like it.

The bad act does not wash out the good one.

As far zzuk told me (indirectly via a third person) he said that he made this videos in order to report bots on on Nostakrius.
Then some other person took his videos and then made this theory about the fake players.

Even I tried to proof him worng but I found no proof that zzuk was making this claims.

[Vabaduce]

Greetings Community

You probably heard of the name Zzuk or Corthezz lately and his theory video about fake players on Nostalrius.
.

sorry but in this case I have to speak up in zzuk's defense. Even I do not like it.

The bad act does not wash out the good one.

As far zzuk told me (indirectly via a third person) he said that he made this videos in order to report bots on on Nostakrius.
Then some other person took his videos and then made this theory about the fake players.

Even I tried to proof him worng but I found no proof that zzuk was making this claims.

Then it's a simple misunderstanding. Obviously people interpret it like that when the post title on his blog with the video literally says: "Nostalrius using playerbots?", even though that might have not been in his intentions.
I changed it in my post now.

[One Virus]

Hello, i am One Virus, i have been studying this file for a long time, and i am 100% certain that it is a virus
https://malwr.com/analysis/OGJmNjVjZWNk ... Q1M2NhYzE/
here, there is proof because the virus edits files or is creating new files in the windows folder, also it makes it autorun on startup, those are 2 major things.
http://virusscan.jotti.org/en/scanresul ... 3622364dac
http://www.refud.me/results.php?id=3eda ... ec5bd78b51
https://www.metascan-online.com/en/scan ... abd65724a2
as you can see here, the virus is crypted, which means the virus could give out false positives, however, as you also can see, the file is being detected as a trojan.
https://www.virustotal.com/en/file/da346...425907657/
here, you can see the file is being detected as a "HEUR/QVM03.0.Malware.Gen" And a "Obfuscated.gen!r"
The Obfuscated Means it is crypted, the HEUR/QVM03.0.Malware Means it can deal alot of damage as seen here: http://blog.mitechmate.com/remove-heurq ... ompletely/
This means that the file is a Crypted Trojan

And if you dont believe me, then prove that the file AREN'T a trojan

[mrmr]

Dear One Virus...

Why morpher.exe is 100k (100352 bytes) and all the other files you scanned are 138k (141312 bytes)?

Seems like you trying to fool/frame someone, but why?
And remember...the links you posted tell us nothing, but some virus scans (that everyone knows are often fooled by "legit" operations).

Also, remember that the burden-of-proofs lies on the accusator's shoulders.
You are accusing Zzuk of spreading malwares...and as proof you bring up a false-positive and 4 scans of another file.

Please, try harder...

EDIT:
Zzuk's release hash (from my local disk, using MultiHasher):

Code: Select all

< C:\Morpher.exe >
Size: 100.352 bytes
MD5: 1F4B71BC3B353011484F37D152B075D0
SHA-1: 504E0C8E132DF06ACB3F72DC21D4C1BFF46164D2

One Virus's file (taken from his links)

Code: Select all

File: bot (1).exe
Size: 141.312 bytes
MD5: 3eda3f00b3dedd762e2f81ec5bd78b51
SHA-1: e7cd9cd054f22fbbdfad335828c650f2366ad5be

[Beabington]

zzuk the boi

[Dean]

http://pastebin.com/bLFH8RJu
Some funny stuff in this one :^)

tl:dr version:

[12.08.2013 22:51:24] Random Guy: i have an idea
[12.08.2013 23:32:51] <GM>Vidotrieth: what is your idea
[12.08.2013 23:33:16] Random Guy: i release my bot to the public with a backdoor sending all botted character names from ed to me
[12.08.2013 23:33:18] Random Guy: hurhuhur
[12.08.2013 23:33:35] Random Guy: then we see who is truely a good person and doesnt cheat even if he/she has the chance to do it
[12.08.2013 23:33:52] <GM>Vidotrieth: lol
[12.08.2013 23:34:40] Random Guy: no just joking

[13.08.2013 00:29:00] <GM>Vidotrieth: not smart
[13.08.2013 00:29:07] <GM>Vidotrieth: I would put a keylogger inside
[13.08.2013 00:29:11] <GM>Vidotrieth: and release
[13.08.2013 00:29:33] <GM>Vidotrieth: and put a code which will auto delete bot in a week or so
[13.08.2013 00:29:34] <GM>Vidotrieth:
[13.08.2013 00:29:52] Random Guy: well i infected kim bartholdi one time
[13.08.2013 00:30:06] Random Guy: but after letting things pop up on his screen while he was fapping to youporn i got bored
[13.08.2013 00:30:21] <GM>Vidotrieth: [Dienstag, 13. August 2013 00:29] Random Guy:

<<< kim bartholdi you dont really need to infect him lol
[13.08.2013 00:30:23] <GM>Vidotrieth: he is stupid
[13.08.2013 00:30:24] Random Guy: i thought i could get something interesting from this guy but obviously he is just an idiot without any skills.

[SanderP]

http://pastebin.com/bLFH8RJu
Some funny stuff in this one :^)

tl:dr version:

[12.08.2013 22:51:24] Random Guy: i have an idea
[12.08.2013 23:32:51] <GM>Vidotrieth: what is your idea
[12.08.2013 23:33:16] Random Guy: i release my bot to the public with a backdoor sending all botted character names from ed to me
[12.08.2013 23:33:18] Random Guy: hurhuhur
[12.08.2013 23:33:35] Random Guy: then we see who is truely a good person and doesnt cheat even if he/she has the chance to do it
[12.08.2013 23:33:52] <GM>Vidotrieth: lol
[12.08.2013 23:34:40] Random Guy: no just joking

[13.08.2013 00:29:00] <GM>Vidotrieth: not smart
[13.08.2013 00:29:07] <GM>Vidotrieth: I would put a keylogger inside
[13.08.2013 00:29:11] <GM>Vidotrieth: and release
[13.08.2013 00:29:33] <GM>Vidotrieth: and put a code which will auto delete bot in a week or so
[13.08.2013 00:29:34] <GM>Vidotrieth:
[13.08.2013 00:29:52] Random Guy: well i infected kim bartholdi one time
[13.08.2013 00:30:06] Random Guy: but after letting things pop up on his screen while he was fapping to youporn i got bored
[13.08.2013 00:30:21] <GM>Vidotrieth: [Dienstag, 13. August 2013 00:29] Random Guy:

<<< kim bartholdi you dont really need to infect him lol
[13.08.2013 00:30:23] <GM>Vidotrieth: he is stupid
[13.08.2013 00:30:24] Random Guy: i thought i could get something interesting from this guy but obviously he is just an idiot without any skills.

Lol, Zzuk that ####. In Germany, there's a saying "Der größte Lump im ganzen Land ist und bleibt der Denunziant!"