Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: Morto.fi detected?

  1. #21
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    294

    Default

    Quote Originally Posted by (m/f) View Post
    Hi. I have read your post and e-mails, but I cannot say that I found anything.
    We looked again at your e-mail to detections(at)spybot but it has no attachment. So we still have no file to analyze. Please resend the file in a password protected .zip. Thank you.
    (m/f)

  2. #22
    Member
    Join Date
    Jan 2016
    Posts
    65

    Default

    Quote Originally Posted by (m/f) View Post
    We looked again at your e-mail to detections(at)spybot but it has no attachment. So we still have no file to analyze. Please resend the file in a password protected .zip. Thank you.
    What really?! I knew it!!!

    *sigh* ...ok here's the file in question that's passworded: http://s000.tinyupload.com/index.php?file_id=39055518938693596987 - password is in the description.

    And I will upload once again, to detections@spybot....um that's invalid.....is a dot com after that or dot something? Oh it's dot info.....as I last sent....

  3. #23
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    294

    Default

    Got the files. I will have a look today. Thank you.
    (m/f)

  4. #24
    Member
    Join Date
    Jan 2016
    Posts
    65

    Exclamation

    Quote Originally Posted by (m/f) View Post
    Got the files. I will have a look today. Thank you.
    *phew* THANKYOU!

    The actual directory should be something like this:
    Trainer for Oil Rush.rar
    -\Trainer for Oil Rush
    --\Capture.PNG >> Screencap of the download page
    --\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar >> This is the file you want to get into - this one is also passworded, but not by me - by the original site I downloaded it from...
    ---\Oil Rush V1.0_1.01 +2 Trn_2.exe >> This is the file you want to be analyzing.
    --\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar.txt >> Hashes, download link and page and further details(like said password mentioned earlier) for OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar file
    --\Trainer for Oil Rush.zip >> Original zip file that I sent over to detections @ spybot . info but as you had said, never got the file.....luckily I've still have it all this time...(I stupidly rar'd this zip file with it....so now you will have duplicate sets of files...)
    ---\Capture.PNG >> Screencap of the download page(Duplicate file, I stupidly rar'd the zip file with it...)
    ---\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar >> This is the file you want to get into - this one is also passworded, but not by me - by the original site I downloaded it from... (Duplicate file, I stupidly rar'd the zip file with it...)
    ----\Oil Rush V1.0_1.01 +2 Trn_2.exe >> Or this file you want to be analyzing(Duplicate file, I stupidly rar'd the zip file with it...)
    ---\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar.txt >> Hashes, download link and page and further details(like said password mentioned earlier) for OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar file(Duplicate file, I stupidly rar'd the zip file with it...)

    Ok, so let me know how the analysis goes and what it is trying to do and whether if it's malicious or not..... Hopefully there, it will explain the mysterious event of it deleting itself after a while.....

  5. #25
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    294

    Default

    Sooooo, I analyzed the file and executed it in a safe environment and found nothing had been changed in the system. As I do not have the game installed I could not prove that it did change the content of the registers as stated in the code (those occupied when the game is running). I guess that other AV take this altering of register content as malicious behaviour. I let the file run for some time (not hours, but a few minutes) and it is still persistent on the system. I double checked the hashes of the file just in case, but they were the ones stated in the text file.

    In short: I could not find any link to Morto.fi in the file. Best Regards.
    (m/f)

  6. #26
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question

    Quote Originally Posted by (m/f) View Post
    Sooooo, I analyzed the file and executed it in a safe environment and found nothing had been changed in the system. As I do not have the game installed I could not prove that it did change the content of the registers as stated in the code (those occupied when the game is running). I guess that other AV take this altering of register content as malicious behaviour. I let the file run for some time (not hours, but a few minutes) and it is still persistent on the system. I double checked the hashes of the file just in case, but they were the ones stated in the text file.

    In short: I could not find any link to Morto.fi in the file. Best Regards.
    Okay, so it does no other activity besides modify some registers that are to do with the game and nothing else? ...which would mean all those scanners that picked this up as a trojan(including the ones from Jotti and Virustotal), any kind, are false positives.....therefore this trainer program is 100% safe as it does what it's supposed to be doing and nothing more/else? Oh wait you can't test that out; but you can read the de-compiled code that says it is supposed to do this and there's no other code that says, do this extra thing while you're at it(like oh idk...maybe phone home and grab some more files from there and execute that to do some damage?)? If I give you a copy of this game, will you be able to confirm this? And then you delete it afterwards? Or..you can tell me how I can do this myself since I have a copy of the game(if you don't want to deal in pirating stuff from me....unless you wanna buy it off the official site(I believe they still sell it...last I checked anyways) and then go from there....just to test this out), so guide me through all the steps and then find out myself...?

    Ok, so what's with the mysterious event where it deletes itself after a set period of time? Or is that something external? Because I have no log of any of my pro-active scanners doing such a thing, so none has ever quarantined it nor deleted and log the delete event, etc..... Is there code in there that mentions something about deleting itself after a period of time? Otherwise I would then be quite confuse as to why this happens, assuming my system is 110% clean of malware....

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •