The attachment file was a SFX archive that once executes dropped an innocent AutoIt executable in addition to three other files.
The VB malware (Sophos names it Mdrop) is actually a simple Password-Stealer that try to steal passwords from the following software:
- IDM (Internet Download Manager) - usually used to manage passwords for file-sharing web sites (rapidshare.com, uploadable.ch etc)
- JDownloader (it does it as seen here)
- Yahoo! Messanger
- VPN settings (saved in rasbphone.pbk files)
In addition to the above list the file has the famous WebBrowserPassView and MailPassView software in its resource section.
The malware itself is simple and boring but here i had a chance to test my VB reversing skills, since it is not a secret that opening a VB-6 based binary in IDA is not going to get you any further in the analysis process i used VB-Decompiler and i was able to decompile the binary to a stage where i can understand most of its functionality just by looking at the code. As we can see in the CallAPI function for example:
You really don't need more than that in order find the source code on the web although for a more serious RE where you need to understand the bits and bytes it won't be enough.
In order to send the stolen passwords to the server it uses a simple GET request (sab3.netau.net) that contains the application name, username, password and the computer name of the victim.
Overall this malware is just a copy-paste work from the web and there is nothing new that is worth mentioning, but for me it was a good exercise on how to deal with AutoIt based packer(?) and how to decompile VisualBasic-6 code.