Tonight I found a .Net Virus, and I think it is first of its kind. I have thought of it for years to writer a torjan with .net, because no antivirus will think of it as virus and you could do some tricks like Reflection or On the fly class/ code generation and make it so hard to catch, but I’m not no Virus program.
But as you might know me, I’m good at .Net Reflection (Thanks to El Mistro ‘Lutz Roeder’ for his great tool Reflector http://www.red-gate.com/products/reflector/) so I tried to reflect the Virus and WOW it worked, so here is some step by step things it do:
1) It first tries to connect some Sql Server with these settings: "Data Source=ok8.com.ru;user id=dreader;password=reader1006;Initial Catalog=allusers;"
So be my guest to try that your self
2) After connection it gets its config & some users from a table called "tt2_6y_newzhanghao"
3) And then starts some Threads (The number is in the config from 2)
4) From each Thread it logins to some web site call: https://secure.plaync.com.tw/
5) If the 4 succeed it connect to a web page under: https://event.plaync.com.tw/
6) After getting some response it inserts some data to the same Sql Server into some table named: "tt2_6y_newusers"
this time with userid=idata and password=haha8591 and Database=allusers
And to be honest I don’t know what is that website and don’t know why this JERK who wrote a .Net virus tries to do that whit my connection.
Anyway if you knwo somethink about it let me know,