May 1, 2021

help a noob please, what is this trojan trying to do on my computer? thank you

first of all sorry about my bad English. I downloaded a bad file , upon clicking on it, nothing happened and then the file auto-delete. I knew it was fishy and my anti-virus did not detect a single thing! so I open the task manager and I see this running in background :

https://preview.redd.it/xdtgy4evmhw61.png?width=662&format=png&auto=webp&s=1a4e1fd9ddacabdd355f991893f1fb094cc2194d

I click right click on it and click “Open file location” , it was siting in “..\AppData\Local\Graphics Codec Stacks ver8.69” this folder was empty (even with “View Hidden Items” on) . I try to walk back to ‘Local’ and again the ‘Graphics Codec Stacks ver8.69’ folder was not there(hidden) so I power shell and do this :

[nothing](https://preview.redd.it/9u1y5auxmhw61.png?width=822&format=png&auto=webp&s=26d3b3ea01be8291d2c0c5617e0970cddd744c3b)

then this :

https://preview.redd.it/m4vg34l0nhw61.png?width=793&format=png&auto=webp&s=77586645978381a4043a8da16dbc8720e73e5164

https://preview.redd.it/eyy3uvq1nhw61.png?width=449&format=png&auto=webp&s=274d5c41d1bcc9513a23b22475dc302fbf13e87f

I used shutil module from python to copy that folder to desktop (I run a scan on it by antivirus and still nothing) then I downloaded jetbrains dotpeek to “decompile” it , it was written in C# and the code was completely random , like all I see are irrelevant math equations. the code is completely obfuscated . like this :

`using Microsoft;`

`using syeasrasrfasr;`

`using System;`

`using System.Windows.Forms;`

​

`namespace Microsofts`

`{`

`internal class Program`

`{`

`[STAThread]`

`private static void Main()`

`{`

`u003CModuleu003E.RunAction = 0;`

`int int32_1 = Convert.ToInt32(-2.0 – 2.0);`

`if ((Convert.ToInt32(5.86214091642749E+17 / 541393614.5) ^ Convert.ToInt32(679511851.643738 – Math.Log(339755916.0))) == Convert.ToInt32(872759619.0 + Math.Truncate(872759618.5)))`

`{`

`u003CModuleu003E.RunAction = Convert.ToInt32(1.45969769413186 + Math.Cos(1.0));`

`int num = sizeof (float);`

`int32_1 += num;`

`}`

I kept a copy of the decompiled folder of the trojan, if anybody can or want to read this , I can send it to you , I’m really curious about what is this doing on my computer and how they can manage to make it completely indictable by antivirus software. thank you

Comments

AutoModerator

we are sorry, but due to spam we are enforcing a minimum of 10 comment karma to post links to this subreddit. If this was not spam, message a moderator and we will re-instate it for you.

*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/antivirus) if you have any questions or concerns.*

Krutonium

Can you reformat the code, by putting 4 spaces before each line and removing the backticks? On old reddit, the code is running off the right side of the screen.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.