I've recently come across a
file AVG classifies as Trojan horse Downloader.Istbar.6.BU and Kaspersky Labs as Trojan-Downloader.Win32.IstBar.gen. I've decided to have a closer look at it. It turned out to be a major disappointment because there are basically not many interesting things to tell about the code in there. I'm nevertheless going to discuss my findings briefly because there are still one or two remarkable things.
If you downloaded the file don't worry about accidentaly running it, I've applied a small patch to it to make it unrunnable. If you know what you're doing you can restore it's functionality. Even if you run it in it's fixed form nothing bad will happen as long as you deny it access to the internet.
The header of the file is moderately interesting. Merging MZ header and PE header apparently caught on with the writers of EXE packers over the last time. The last time I saw it was when I had a brief look at
.kkrieger, the 96KB small 3D shooter made by .theprodukkt. Istbar gets bonus points for storing the kernel32.dll string in the unused parts of the MZ header though.
Continue reading "Malware Analysis - Trojan horse Downloader.Istbar.6.BU"
