SciLor's Open Source Forums
http://forum.scilor.com/

Virus: RapidShare Premium Accounts Seeker v2.0.0 found
http://forum.scilor.com/viewtopic.php?f=3&t=118
Page 1 of 1

Author:  SciLor [ Thu Mar 25, 2010 9:38 pm ]
Post subject:  Virus: RapidShare Premium Accounts Seeker v2.0.0 found

I have recently found the Software "RapidShare Premium Accounts Seeker v2.0.0"

THIS IS A PASSWORD/LICENSE STEALER or even more...

It is presented as on various websites:

Coded by RSS Team.

RS Premium Accounts Seeker Imports fresh RS accounts.
It's 100% working (importing RS accounts).


Filelist:
Code:
RS_Seeker_2_Setup.exe

And after install:
Code:
RSdwn.dll
RSPAS.exe
sqlite3.dll


-------------

I made a simple analysis of it:
OK, Virustotal has only 3 Heuristic results, but analysing it with an hex editor makes it even more suspicious.
It looks like an Key-Stealer for different software:

ex: RSPAS.exe

Steam Stealer?!
Code:
Software\Valve\Steam\   ÿÿÿÿ      SteamPath   ÿÿÿÿ   \config\SteamAppData.vdf    ÿÿÿÿ
   AutoLoginUser   ÿÿÿÿ   "   ÿÿÿÿ   Error   U‹ì3ÉQQQQQSVW‰Eü3ÀUh¸"@ dÿ0d‰ 3ÀUh†"@ dÿ0d‰ ²¡Ô@B èœüÿÿ£D B º  €¡D B èüÿÿ3ɺÐ"@ ¡D B è‡üÿÿMøºð"@ ¡D B è}üÿÿ‹Uø¸H B è8ðÿÿ¡H B èfðÿÿHŽ  j Eô¹#@ ‹H B èZðÿÿ‹Mô²¡`=B èkóÿÿ£P B 3ɲ¡T=B è`óÿÿ£L B ¡P B ‹ÿRP‹P B ¡L B è0óÿÿ¸P B èªõÿÿ¡L B ‹P¸$#@ è<ðÿÿ£T B ƒT B (EðP¡L B ‹@¹ÿ   ‹T B èðÿÿ‹Eðèìïÿÿ£\ B ¸L B èYõÿÿh,#@ Eì¹T#@ ‹H B è¥ïÿÿ‹Eìè½ïÿÿPèoóÿÿPèaóÿÿ£` B hd B jdhh B ¡\ B èÚôÿÿP¡\ B Pÿ` B ƒÄ‹Eüºh B ¹d   è<ïÿÿ3ÀZYYd‰ëé½îÿÿ‹Eüºh#@ èðîÿÿèÃîÿÿ3ÀZYYd‰h¿"@ E캠  èÉîÿÿÃé“îÿÿëë_^[‹å]à ÿÿÿÿ   Software\Valve\Steam\   ÿÿÿÿ      SteamPath   ÿÿÿÿ   \ClientRegistry.blob    ÿÿÿÿ   Phrase  SteamDecryptDataForThisMachine  ÿÿÿÿ
   \steam.dll 


Trillian Messanger Stealer
Code:
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian    UninstallString ÿÿÿÿ   \Trillian\User Settings\    ÿÿÿÿ   \users\global\profiles.ini  num Profiles    ÿÿÿÿ   Profile0    ÿÿÿÿ      Profile00   -1  Name    Preferences Type    Preferences Location    ÿÿÿÿ   \users\default  ÿÿÿÿ
   \yahoo.ini  ÿÿÿÿ   \msn.ini   


Windows Live Messenger Stealer
Code:
WindowsLive:name=*  ÿÿÿÿE   <p class=MsoNormal align=center style="text-align:center"><b><u><span   ÿÿÿÿJ   style="font-size:16.0pt;line-height:115%;font-family:"Arial","sans-serif";  ÿÿÿÿU   mso-ascii-theme-font:minor-bidi;mso-hansi-theme-font:minor-bidi;mso-bidi-font-family:   ÿÿÿÿX   Arial;mso-bidi-theme-font:minor-bidi">-- Messenger Live --<o:p></o:p></span></u></b></p>    ÿÿÿÿ   </html> ÿÿÿÿj   <table width="50%" align="center" cellpadding="3px" style="border:1px solid #FF9900; background:#EEF9FF;">  ÿÿÿÿ   <tr>    ÿÿÿÿ   <td width="200">E-Mail=     ÿÿÿÿ   </td>   ÿÿÿÿ   </tr>   ÿÿÿÿ   </table>    ÿÿÿÿ   </body> ÿÿÿÿ<   <td width="200">Pass= (null! / Password is not saved !)</td>


Various Licenses:
Code:
SOFTWARE\Microsoft\Windows NT\CurrentVersion    ÿÿÿÿj   <table width="50%" align="center" cellpadding="3px" style="border:1px solid #FF9900; background:#EEF9FF;">  ÿÿÿÿ!   <td width="200">ProductName(OS):    ÿÿÿÿ   </td>   ÿÿÿÿ   </tr>   ÿÿÿÿ   </table>    ÿÿÿÿ   </body> ÿÿÿÿ
   CSDVersion  ÿÿÿÿz   <td width="200"><table width="50%" align="center" cellpadding="3px" style="border:1px solid #FF9900; background:#EEF9FF;">  ÿÿÿÿ   <td width="200">CSDVersion:     ÿÿÿÿ   RegisteredOwner ÿÿÿÿ!   <td width="200">RegisteredOwner:    ÿÿÿÿ   RegisteredOrganization  ÿÿÿÿ(   <td width="200">RegisteredOrganization:     ÿÿÿÿ   Email   ÿÿÿÿ"   SOFTWARE\Internet Download Manager  ÿÿÿÿ1   <td width="200">Internet Download Manager:  </tr>   ÿÿÿÿ   <td width="200">Email:  ÿÿÿÿ   FName   ÿÿÿÿ   <td width="200">First Name:     ÿÿÿÿ   LName   ÿÿÿÿ   <td width="200">Last Name:  ÿÿÿÿ   Serial  ÿÿÿÿ   <td width="200">Serial:     ÿÿÿÿ      SerialNum   ÿÿÿÿ)   SOFTWARE\Zone Labs\ZoneAlarm\Registration   ÿÿÿÿ   <td width="200">ZoneAlarm   ÿÿÿÿ   <td width="200">Username:   ÿÿÿÿ   <td width="200">Company:    ÿÿÿÿ    SerialNumber    ÿÿÿÿ   SOFTWARE\Ipswitch\WS_FTP    ÿÿÿÿ   <td width="200">WS FTP  ÿÿÿÿ   regname ÿÿÿÿ   SOFTWARE\Nullsoft\Winamp    ÿÿÿÿ   <td width="200">Winamp </tr>    ÿÿÿÿ   <td width="200">Regname:    ÿÿÿÿ   regkey  ÿÿÿÿ   SOFTWARE\Westwood\Tiberian Sun  ÿÿÿÿ*   <td width="200">Westwood Alarmstufe Rot 2   ÿÿÿÿ7   SOFTWARE\Vmware, Inc.\Vmware Workstation\License.ws.5.0 ÿÿÿÿ   <td width="200">VMware  ÿÿÿÿ(   <td width="200">VMware Workstation 5.0:     ÿÿÿÿ>   SOFTWARE\Vmware, Inc.\Vmware Workstation\License.ws.6.0.200907  ÿÿÿÿ*   <td width="200">VMware Workstation 6.5.1:   ÿÿÿÿ5   SOFTWARE\VMware, Inc.\VMware Server\License.vs.1.0-00   ÿÿÿÿ   <td width="200">VMware Server:  ÿÿÿÿ   CDKey   ÿÿÿÿ0   SOFTWARE\Unreal Technology\Installed Apps\UT2004    ÿÿÿÿ"   <td width="200">Unreal Tournament   ÿÿÿÿ(   <td width="200">Unreal Tournament 2004:     ÿÿÿÿ0   SOFTWARE\Unreal Technology\Installed Apps\UT2003    ÿÿÿÿ(   <td width="200">Unreal Tournament 2003:     ÿÿÿÿ   RegCode ÿÿÿÿ   SOFTWARE\TuneUp\Utilities\8.0   ÿÿÿÿ   <td width="200">Tuneup  ÿÿÿÿ   <td width="200">TuneUP 2009:    ÿÿÿÿ   Company ÿÿÿÿ    <td width="200">TuneUP Company:     ÿÿÿÿ   UserName    ÿÿÿÿ!   <td width="200">TuneUP UserName:    ÿÿÿÿ    unlock code ÿÿÿÿ    Software\@stake\LC5\Registration    ÿÿÿÿ&   <td width="200">@Stake L0pht CrackLC5   ÿÿÿÿ   <td width="200">@Stake Serial:  ÿÿÿÿ
   3DMarkRegName   ÿÿÿÿ&   SOFTWARE\MadOnion.com\Registration2001  ÿÿÿÿ   <td width="200">3D Mark </tr>   ÿÿÿÿ    3DMarkRegKey    ÿÿÿÿ   <td width="200">Key:    ÿÿÿÿ   LMKEY   ÿÿÿÿ   SOFTWARE\Borland\Delphi\6.0 ÿÿÿÿ!   <td width="200">Delphi 6(LMKEY):    ÿÿÿÿ   LMLIC   ÿÿÿÿ!   <td width="200">Delphi 6(LMLIC):    ÿÿÿÿ   SOFTWARE\Borland\Delphi\7.0 ÿÿÿÿ   <td width="200">Delphi 7:   ÿÿÿÿ!   <td width="200">Delphi 7(LMLIC):    ÿÿÿÿ'   Software\Alcohol Soft\Alcohol 120%\Info ÿÿÿÿ   <td width="200">Alcohol ÿÿÿÿ      ServerKey   ÿÿÿÿ   <td width="200">Password:   ÿÿÿÿ   SerialNo    ÿÿÿÿ   SOFTWARE\Sunflowers\Anno 1701   ÿÿÿÿ   <td width="200">Anno1701    ÿÿÿÿ*   SOFTWARE\Autodesk\AutoCAD\R15.0\ACAD-1:409  ÿÿÿÿ   <td width="200">Autocad     ÿÿÿÿ   <td width="200">Serial 2000:    ÿÿÿÿ,   SOFTWARE\Autodesk\AutoCAD\R16.0\ACAD-201:409    ÿÿÿÿ   <td width="200">Serial 2002:    ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD LT\R2000\ACLT-1:409   ÿÿÿÿ    <td width="200">Serial LT 2000:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD LT\R10\ACLT-301:409   ÿÿÿÿ    <td width="200">Serial LT 2005:     ÿÿÿÿ*   SOFTWARE\Autodesk\AutoCAD LT\R8\ACLT-1:409  ÿÿÿÿ    <td width="200">Serial LT 2002:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.1\ACAD-6001:409   ÿÿÿÿ   <td width="200">Serial 2008:    ÿÿÿÿ0   SOFTWARE\Autodesk\AutoCAD LT\R13\ACADLT-6001:409    ÿÿÿÿ    <td width="200">Serial LT 2008:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.0\ACAD-5001:409   ÿÿÿÿ   <td width="200">Serial 2007:    ÿÿÿÿ0   SOFTWARE\Autodesk\AutoCAD LT\R12\ACADLT-5001:409    ÿÿÿÿ    <td width="200">Serial LT 2007:     ÿÿÿÿ.   SOFTWARE\Autodesk\AutoCAD LT\R11\ACLT-4001:409  ÿÿÿÿ    <td width="200">Serial LT 2006:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.0\ACAD-5007:409   ÿÿÿÿ(   <td width="200">Serial Electrical 2007:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R16.2\ACAD-4007:409   ÿÿÿÿ(   <td width="200">Serial Electrical 2006:     ÿÿÿÿ,   SOFTWARE\Autodesk\AutoCAD\R16.1\ACAD-307:409    ÿÿÿÿ(   <td width="200">Serial Electrical 2005:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.0\ACAD-5005:409   ÿÿÿÿ(   <td width="200">Serial Mechanical 2007:     ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R16.2\ACAD-4005:409   ÿÿÿÿ(   <td width="200">Serial Mechanical 2006:     ÿÿÿÿ,   SOFTWARE\Autodesk\AutoCAD\R16.1\ACAD-305:409    ÿÿÿÿ(   <td width="200">Serial Mechanical 2005:     ÿÿÿÿ   SOFTWARE\Autodesk\3dsmax\8.0    ÿÿÿÿ   <td width="200">3ds Max 8:  ÿÿÿÿ   SOFTWARE\Autodesk\3dsmax\7.0    ÿÿÿÿ   <td width="200">3ds Max 7:  ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.0\ACAD-5004:409   ÿÿÿÿ3   <td width="200">Serial Architectural Desktop 2007:  ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R16.2\ACAD-4004:409   ÿÿÿÿ2   <td width="200">Serial Architectural Desktop 2006:  ÿÿÿÿ,   SOFTWARE\Autodesk\AutoCAD\R16.1\ACAD-304:409    ÿÿÿÿ3   <td width="200">Serial Architectural Desktop 2005:  ÿÿÿÿ-   SOFTWARE\Autodesk\AutoCAD\R17.0\ACAD-5006:409   ÿÿÿÿ'   <td width="200">Building Systems 2007:  ÿÿÿÿ
   ProductKey  ÿÿÿÿ*   Software\Axialis\IconWorkshop\registration  ÿÿÿÿ)   <td width="200">Axailis IconWorkshop 6.0    ÿÿÿÿ   ergc    ÿÿÿÿ2   Software\Electronic Arts\EA GAMES\Battlefield 1942  ÿÿÿÿ   <td width="200">Battle Field    ÿÿÿÿ   <td width="200">Serial 1942:    ÿÿÿÿC   Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome ÿÿÿÿ1   <td width="200">Serial BF 1942 The Road to Rome:    ÿÿÿÿ/   Software\Electronic Arts\EA GAMES\Battlefield 2 ÿÿÿÿ&   <td width="200">Serial Battlefield 2:   ÿÿÿÿ2   Software\Electronic Arts\EA GAMES\Battlefield 2142  ÿÿÿÿ)   <td width="200">Serial Battlefield 2142:    ÿÿÿÿI   Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII   ÿÿÿÿ4   <td width="200">Serial 1942 Secret Weapons of WWII:     ÿÿÿÿ5   Software\Electronic Arts\EA GAMES\Battlefield Vietnam   ÿÿÿÿ,   <td width="200">Serial Battlefield Vietnam:     ÿÿÿÿ#   SOFTWARE\SnapStream Media\Beyond TV ÿÿÿÿ   <td width="200">SnapStream  ÿÿÿÿ"   <td width="200">Serial Beyond TV:   ÿÿÿÿ&   SOFTWARE\SnapStream Media\Beyond Media  ÿÿÿÿ%   <td width="200">Serial Beyond Media:    ÿÿÿÿ1   Software\Electronic Arts\EA GAMES\Black and White   ÿÿÿÿ    <td width="200">Black and White     ÿÿÿÿ    serialnumber    ÿÿÿÿ   SOFTWARE\techland\Chrome    ÿÿÿÿ   <td width="200">Chrome  ÿÿÿÿ   codkey  ÿÿÿÿ    SOFTWARE\Activision\Call of Duty    ÿÿÿÿ   <td width="200">CALL OF DUTY    ÿÿÿÿ   key ÿÿÿÿ1   SOFTWARE\Activision\Call of Duty United Offensive   ÿÿÿÿ"   <td width="200">United Offensive:   ÿÿÿÿ"   SOFTWARE\Activision\Call of Duty 2  ÿÿÿÿ    <td width="200">Call of Duty 2:     ÿÿÿÿ"   SOFTWARE\Activision\Call of Duty 4  ÿÿÿÿ    <td width="200">Call of Duty 4:     ÿÿÿÿ$   SOFTWARE\Activision\Call of Duty WAW    ÿÿÿÿ$   <td width="200">Call of Duty 5 WaW:     ÿÿÿÿ*   SOFTWARE\Electronic Arts\EA Games\Generals  ÿÿÿÿ   <td width="200">Generals    ÿÿÿÿH   SOFTWARE\electronic arts\ea games\command and conquer generals zero hour    ÿÿÿÿ   <td width="200">ZeroHour:   ÿÿÿÿ>   SOFTWARE\Electronic Arts\Electronic Arts\Command and Conquer 3  ÿÿÿÿ$   <td width="200">Command and Conquer:    ÿÿÿÿ   serial  ÿÿÿÿ   SOFTWARE\westwood\tiberian sun  ÿÿÿÿ   <td width="200">Tiberian Sun    ÿÿÿÿ   SOFTWARE\westwood\red alert ÿÿÿÿ   <td width="200">Red Alert   ÿÿÿÿ   <td width="200">Serial :    ÿÿÿÿ   SOFTWARE\Westwood\Red Alert 2   ÿÿÿÿ#   <td width="200">Serial Red Alert 2: ÿÿÿÿ    SOFTWARE\Westwood\Yuri's Revenge    ÿÿÿÿ'   <td width="200">Serial Yuri's Revenge:  ÿÿÿÿ   Version ÿÿÿÿ   SOFTWARE\THQ\Company of Heroes  ÿÿÿÿ"   <td width="200">Company of Heroes   ÿÿÿÿ   <td width="200">Version:    ÿÿÿÿ      RegNumber   ÿÿÿÿ+   Software\Eugen Systems\ActOfWar_HighTreason ÿÿÿÿ(   <td width="200">Act Of War High Treason     ÿÿÿÿ   Software\Eugen Systems\ActOfWar ÿÿÿÿ    DiscKey_SCCT    ÿÿÿÿ0   SOFTWARE\Ubisoft\Splinter Cell Chaos Theory\Keys    ÿÿÿÿ   <td width="200">Splinter Cell   ÿÿÿÿ   <td width="200">Chaos Theory:   ÿÿÿÿ4   SOFTWARE\Ubisoft\Splinter Cell Pandora Tomorrow\Keys    ÿÿÿÿ!   <td width="200">Pandora Tomorrow:   ÿÿÿÿ   CDKEY   ÿÿÿÿ   Software\THQ\Dawn of War    ÿÿÿÿ   <td width="200">Dawn of War     ÿÿÿÿ   <td width="200">Dawn of War:    ÿÿÿÿ    Software\THQ\Dawn of War II Beta    ÿÿÿÿ$   <td width="200">Dawn of War II Beta:    ÿÿÿÿ'   Software\THQ\Dawn of War - Dark Crusade ÿÿÿÿ,   <td width="200">Dawn of War - Dark Crusade:     ÿÿÿÿ"   Software\THQ\Dawn of War Soulstorm  ÿÿÿÿ'   <td width="200">Dawn of War Soulstorm:  ÿÿÿÿ      CDKEY_WXP   ÿÿÿÿ,   <td width="200">Dawn of War Winter Assault:     ÿÿÿÿ/   Software\Electronic Arts\Electronic Arts\Crysis ÿÿÿÿ   <td width="200">Crysis :    ÿÿÿÿ;   Software\Wow6432Node\Electronic Arts\Electronic Arts\Crysis ÿÿÿÿ!   <td width="200">Crysis (64/32b):    ÿÿÿÿ?   Software\Electronic Arts\EA Games\The Godfather 2 The Game\ergc ÿÿÿÿ!   <td width="200">The Godfather 2:    ÿÿÿÿ#   SOFTWARE\sega\Medieval II Total War ÿÿÿÿ#   <td width="200">Medieval Total War  ÿÿÿÿ'   <td width="200">Medieval II Total War:  ÿÿÿÿ   Serial8 ÿÿÿÿ/   SOFTWARE\Nero\Installation\Families\Nero 8\Info ÿÿÿÿ   <td width="200">Nero    ÿÿÿÿ   <td width="200">Nero 8:     ÿÿÿÿ   Serial7 ÿÿÿÿ/   SOFTWARE\Nero\Installation\Families\Nero 7\Info ÿÿÿÿ   <td width="200">Nero 7: ÿÿÿÿ   Serial9 ÿÿÿÿ/   SOFTWARE\Nero\Installation\Families\Nero 9\Info


I have also found the website where all the data goes (Maybe ftp):
Code:
C:\Windows\sc_s_    ÿÿÿÿ   .xdf    2   F T P - T E A M B E A N _ 3 2 1 E 3 A 2 E 9 0 3 1      f t p . t 3 5 . c o m      f 4 d 5 f 5 . t 3 5 . c o m        4 d f s _ e r 5 d e     ÿÿÿÿ   _   ÿÿÿÿ   sc_s_   ÿÿÿÿ   .png    ÿÿÿÿ   Server Connection error.    ÿÿÿÿ"   Cannot connect to accounts server.  ÿÿÿÿ   C:\Windows\rsaccdata.gran   ÿÿÿÿ(   http://nizarmix.l4rge.com/aze1s0x.xcxpps

Author:  Rayhvh [ Sat Aug 07, 2010 12:19 pm ]
Post subject:  Re: Virus: RapidShare Premium Accounts Seeker v2.0.0 found

thats soms sick shit, tanks

Page 1 of 1 All times are UTC + 1 hour [ DST ]
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/