Hello Friends first of all i m new to this website and certainly a newbie .. Hi again..

Here i found a old malware scvvhost.exe www.snapdrive.net/files/210113/SCVVHSOT.zip" target="_blank">-->█▄ Link Here ▄█<--some how it infected my pc.

so i decided to unpack it and reverse engineer it as this site always found to be a great help for education purpose.. so i decided to post this. i tried PEiD and the file showed UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay] so i tried the latest version of UPX and give the command upx -d scvvhost.exe nothing happened it retured the error that this thing is not packed with UPX. Then i tried ollydbg it looks like the file has been modified ... but i managed to find the file was made by AUTOIT it generally complies the script(.au3) to exe
i m going to decrypt the file from the help provided from here >> | Сообщение посчитали полезным:

Use some UPX unpackers, may be they will help you to unpack your file..

| Сообщение посчитали полезным:

tried but no one works can u plz specify one.

| Сообщение посчитали полезным:

Try to use UPX Ripper(Zodiax) or some tools from aore packet(anti-scramblers)
Cheers, icerix
---
Happy New Year!

| Сообщение посчитали полезным:

stark2006, use Quick Unpack 2.0 by FEUERRADER & Archer

-----
iNTERNATiONAL CoDE CReW

| Сообщение посчитали полезным:

start2006 you can find here Quick Unpack 2.0 by FEUERRADER & Archer :

Link:
[url=http://qunpack.ahteam.org/wp-content/uploads/2007/09/qunpack20.zi p
]http://qunpack.ahteam.org/wp-content/uploads/2007/09/qunpack20.zip
[/url]

Changelog:
v2.0
[!] fixed several bugs like missed import functions
[!] improved export feature now supports invalid functions
[!] many small improvements and optimizations
[+] import list from imprec feature added (now Quick Unpack supports both export and import of import functions in imprec-compatible files this allows to edit some functions or add new ones. keep in mind this option works with normally created files but if you put some garbage or format this file in unusual manner this may cause crash smile.gif I was too lazy to parse the file with care)
[+] attach process feature added (this option allows to choose any module in a process for unpacking and has some features. if in processes listbox a process name is a full path with name you can attach to this process. if it is only name of the file you don't have enough rights to attach. you can't specify the OEP, the instruction the program was stopped is treated as the OEP. to use attach process feature one should load the program in any debugger and manually get to the OEP, when attach to that process with Quick Unpack. keep in mind that for smart import recovery you don't need the program to run, it can just be left in the debugger standing at the breakpoint. but to use smart import recovery with tracer you should put it in the infinite loop (EB FE) and run the program because the tracer uses current thread for tracing. if the program was put in the infinite loop don't forget to restore these two bytes in the dump. when attached tracing import is unreliable and very slow, so it's not recommended to use it). this feature allows to use Quick Unpack as a dumper and import recoverer (my attempt to replace PETools and ImpRec with one program smile.gif)
[+] imprec plugin support added (this feature allows to use imprec tracer plugins in Quick Unpack to restore import functions. keep in mind when using attach to process feature the program must be run for the tracer to work)
[+] add UsAr's generic oep finder
[+] add Human's generic oep finder


Hope can help

| Сообщение посчитали полезным:

Using QuickUnpack to unpack malware a bad idea
use VMUnpacker

| Сообщение посчитали полезным:

Using Hands'n'Brain to unpack malware a good idea

-----
iNTERNATiONAL CoDE CReW

| Сообщение посчитали полезным:

stark2006 ?????:
the file was made by AUTOIT it generally complies the script(.au3) to exe
So you got a compiled script and a VM to run it. Unpacking VM won't help you to understand malware logic. Search for AutoIt decompiler (if any exist).

| Сообщение посчитали полезным:

i found out this site very helpful ... ppl here are very helpful..

but talking about unpacking this malware.. i would say Quick Unpack 2.0 was really not a good idea.. coz i used this tool b4 posting to this forum and it infected my whole pc with this malware this.. malware creates a exe file in every folder the name of the exe is the folders name in which it exist's.

and Sh[AHT] i found a decompiler of autoit but the problem is the password.. when autoit compiles a script it provides user to put a password .. so to use the md5 hash of this password i first need to unpack the file then i can use it by hexing software to check the md5 hash.. every thing is described in the link in the first reply/post.

I only need help to unpack this file.

| Сообщение посчитали полезным: