Beta DB and HB - infected.

[Bugser]

And don't say it's false positive. lol.

http://www.thebuddyforum.com/demonb...-db-build-110-tony-your-pm-indbox-full-3.html

decrypted Thumb.DB from beta demonbuddy:
https://www.virustotal.com/file/3df...4fe154df6f11c71c97b8fbe1/analysis/1355742632/
Behavioural information

URL: http://www.gtnbus.com/html_xor.jpg
TYPE: GET
UA: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)

html_xor.jpg decrypted - https://www.virustotal.com/file/7db...54ef5a9239a261db2da8c065/analysis/1355746227/

this shit is steal diablo/guild wars 2/wow passwords (game=%s&host=%s&user=%s&pass=%s) and xor'ed by 0xAA.

Crypted program from Thumb.DB connecting to html_xor.jpg and this jpg is contains this stealer! what the fuck you doing, devs? you have rat in your team? or what? and don't say it's false positive because its NOT!

 

[Bugser]

 

[KillAllHumans]

Thumb.db in an encrypted PE (xor 0xAA)
It downloads file http://www.gtnbus.com/html_xor.jpg wich is other Windows PE file (xor 0xAA)
Last file is trojan too.

All files (decryptor included):
View attachment trojan files.zip

I would like to know why does those things included in HB and DB betas?

 

[Bugser]

All is done:
http://www.thebuddyforum.com/honorb...s/96488-beta-db-hb-infected-3.html#post951052 official post by Admin

 

[Hawker]

Closed at OP's request.