Re: [PEN-TEST] exe to txt mobile code conversion

[Tom Vandepoel <tom.vandepoel () UBIZEN COM>]

Complx1 * wrote:
> some time ago, (maybe months) someone posted about
> a tool which converted executeables to plain text, and easily
> back to executeable again by just saving the txt as a *.com
>
> does anyone know the name of this tool or where it can be
> found?  (it was an NT application).   any help much appreciated.

A lot of trojans use Lehigh Coder, some old DOS tool, ie. GodMessage
uses it.
Actually, it bootstraps first, using a minimal machine code
implementation to put LCODER.EXE on the system (actually it writes a
file called SHORT.SRC, which it assembles into SHORT.COM), then it uses
LCODER to unpack the actual trojan.

I spent some time adapting that to encapsulate something like NC.EXE and
let that phone home, but I never found the time to finish it.

You can probably find it somewhere on the web. If you can't, you can
probably find GodMessage on packetstorm and get it out of there.
Ofcourse, you never now if the LCODER.EXE itself wasn't modified in some
evil way ;-)

Tom.


--
Tom Vandepoel                 Ubizen
Sr. Security Engineer         We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature