Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Steamunlocked malware?
Message
<blockquote data-quote="SkeletalDemise" data-source="post: 1055564" data-attributes="member: 103400"><p>I'm confident it's not clean. It connects to various newly registered domains; I've seen different samples connect to different domains. Please note that Bitdefender called the zip folder clean, not the installer. The zip folder is harder to analyze as the payload only runs if you run [ICODE]NvStTest.exe 4a4hJ[/ICODE] which the installer does automatically. If you run it in a VM, you can see the NvStTest.exe process taking up all your CPU and RAM.</p><p></p><p>I've tested both the real Nulloy installer and the real NvStTest.exe from NVIDIA. Neither of them connects to any sketchy domains or runs in the background. This malware is tricky; the installer is signed, and it downloads a real copy of Nulloy except with additional files. You can compare the folder with a real copy from Nulloy. Everything in [ICODE]Nulloy\Plugins\platforms[/ICODE] besides qwindows.dll is from the malware.</p></blockquote><p></p>
[QUOTE="SkeletalDemise, post: 1055564, member: 103400"] I'm confident it's not clean. It connects to various newly registered domains; I've seen different samples connect to different domains. Please note that Bitdefender called the zip folder clean, not the installer. The zip folder is harder to analyze as the payload only runs if you run [ICODE]NvStTest.exe 4a4hJ[/ICODE] which the installer does automatically. If you run it in a VM, you can see the NvStTest.exe process taking up all your CPU and RAM. I've tested both the real Nulloy installer and the real NvStTest.exe from NVIDIA. Neither of them connects to any sketchy domains or runs in the background. This malware is tricky; the installer is signed, and it downloads a real copy of Nulloy except with additional files. You can compare the folder with a real copy from Nulloy. Everything in [ICODE]Nulloy\Plugins\platforms[/ICODE] besides qwindows.dll is from the malware. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
