.Net Virus tt6ynew.exe

Tonight I found a .Net Virus, and I think it is first of its kind. I have thought of it for years to writer a torjan with .net, because no antivirus will think of it as virus and you could do some tricks like Reflection or On the fly class/ code generation and make it so hard to catch, but I’m not no Virus program.
 
But as you might know me, I’m good at .Net Reflection (Thanks to El Mistro ‘Lutz Roeder’ for his great tool Reflector http://www.red-gate.com/products/reflector/) so I tried to reflect the Virus and WOW it worked, so here is some step by step things it do:
 
1) It first tries to connect some Sql Server with these settings: "Data Source=ok8.com.ru;user id=dreader;password=reader1006;Initial Catalog=allusers;"
So be my guest to try that your self
 
2) After connection it gets its config & some users from a table called "tt2_6y_newzhanghao"
 
3) And then starts some Threads (The number is in the config from 2)
 
4) From each Thread it logins to some web site call: https://secure.plaync.com.tw/
 
5) If the 4 succeed it connect to a web page under: https://event.plaync.com.tw/
 
6) After getting some response it inserts some data to the same Sql Server into some table named: "tt2_6y_newusers"
this time with userid=idata and password=haha8591 and Database=allusers
 
And to be honest I don’t know what is that website and don’t know why this JERK who wrote a .Net virus tries to do that whit my connection.
 
Anyway if you knwo somethink about it let me know,
Sadjad Bahmanpour
 
 

4 thoughts on “.Net Virus tt6ynew.exe”

  1. Well… I searched for it online (what you must have done as well), and it was nowhere in the web, other than in your blog! 😀

  2. I know that generally speaking this is more of a technical blog, rather than a personal blog, but the software development society should celebrate this day, as the day that one of its great members was born!!!!! Happy birthday to you my mentor, my friend, and my brother.

  3. Dude, loved it. you brought me back to programming again. You know, as what Sina did, I searched online, checked the above website … nothing. it seems that the attacker has already done his/her job. You know, I think it somehow uses other people’s computer to attack the website. Somehow uses infected computers as "BOTNET"s for an attack that you’re definitely familiar called DNS (denial of Service).I tried the website above, it seems its down. maybe this guy registered it itself and there’s no content at all and he uses this fake registered hosting/domain to bring the server down. God knows. Anyways, here’s what I think. if you got anything new, let us know. :)Good Job.

  4. By the way, tell me something, how do systems get affected by this virus? is it included in sort of a program? a changed extension executable file? or what?

Leave a Reply