myMPX
Advertisement


Go Back MyMPx.org > MyMPx.org Forum > Dead Players

Warning! 8yo VIRUS found on the old site! (Clear Sigmatel Flash Extractor here!)
Reply
Post New Thread
 
Thread Tools
  #1  
Old 15th Apr 2015, 2:06 pm
TheDrive TheDrive is offline
New Member
 
Join Date: Apr 2015
Location: Moscow
Posts: 1
Default Warning! 8yo VIRUS found on the old site! (Clear Sigmatel Flash Extractor here!)


Hello. I just looked for info on old Samsung YP-Z5F player and read in articles there was old 2006 Sigmatel Firmware Extractor util around.
Found it on the old forum at Download
Downloaded and explored .exe body (I don't use any AV and I always explore what I DL or get from outside).
On first look I've seen .exe contains 2 other .exe's which it drops to the TEMP folder (as tmp1.exe and tmp2.exe), then executes.
It's very suspicious technique, mostly used by trojans/viruses. Very rarely it's used in normal legal apps to bring runtime req'd libs or drivers in one .exe. Next I've explored both internal bodies (naturally .exes).
First is our so wanted Sigmatel Firmware Extractor by JimC from Meizu.com. It's packed by UPX 1.25 which can be easily unpacked and an .exe code can be explored.
Second is just about 5KB long. .exe packed by MEW 11 v1.2 (as stated by PEiD). It can be unpacked by UnMEW 1.2 generic unpacker (may be other utils or manually). UnMEW dumps .exe not so good. Dump is about 5MB long, but it's almost fully filled by zeros, so there is no prob to find code. Unpacked .exe contains suspicious, most probably obfuscated code. It would be too time expensive to explore. Imports include just a few functions but include such as GetProcAddress which is suspicious (It can be used to find and intrude to other processes) . Even unpacked file doesn't contain any human readable strings (except functions imports). It seems that it's most probably virus inside even not just "generic" trojan.

It seems someone has used popular util to spread viruses. He've glued normal util and virus body and spread around.

Allmost all AV tools used by VirusTotal see particular trojan or suspicious app inside of your 60KB file. Some found only MEW packing.
Here's link to check by MD5
https://www.virustotal.com/en/file/4...c0c3/analysis/

Very strange file is hosted for a 8 years and nobody (except on man in comments) noticed virus inside.

However all is not so bad. This good and useful util is rare and should not be lost anyway.
I've cut out dropper parts and extracted original util body, so now I've clear one which runs OK.
Everyone can extract it w/UPX and explore code. I can't check every byte of code but it seems to me this part is clear
https://www.virustotal.com/en/file/2...2230/analysis/
Only a few AV's have any suspections nothing particular
BTW I didn't uploaded body itself, just checked by MD5 which points me I've extracted util byte-to-byte correctly.

I've attached normal util below.
It's 52736 bytes long (instead of 60935) and has MD5: 6df16fe52e8aeebcbace46bdc2f7fe94
Please check and fix DL on the old site!

Update:
You can also download FirmwareExtractor from the following location:
http://republika.pl/felan/SigmaTelFirmwareExtract.zip
Last-Modified 20-Aug-2006

We also need filefixer util to fix extracted files

Backup FW with the sigmatel firmware extractor and save it in a safe place.
With the filefixer program in the same directory as the extracted firmware files run the program.(Best to use a copy of them)
Put the fixed files into the directory where you have the stupdater and the dlls. Update as normal.

https://web.archive.org/web/20070601...l/sigmatel.htm
Attached Files
File Type: zip SFE.zip (50.2 KB, 0 views)
File Type: zip filefixer.zip (134.6 KB, 0 views)

Last edited by TheDrive; 15th Apr 2015 at 7:20 pm. Reason: Mirror link and some explanation link added
Reply With Quote
  #2  
Old 18th Apr 2015, 3:43 am
Binh@MyMPx's Avatar
Binh@MyMPx Binh@MyMPx is offline
Administrator
Admin
 
Join Date: May 2009
Location: New Zealand
Posts: 483
Default

Thanks TheDrive for posting this and sharing the information.

That download is 9 years old now.

I'll take a look at the downloaded files you posted and update the original one on the old MyMPxPlayer.org site.
__________________
Thanks,
Binh (admin)

Reply With Quote
Reply

Tags
firmware extractor, sigmatel, trojan, virus

Sponsored Links

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus problem on MyMpxPlayer site ?!? :?: knob General Discussion 29 26th Dec 2008 3:30 am
found site with firmware littleandi Firmware 0 18th Feb 2008 2:03 pm
Firmware nowhere to be found. AK1025 with Hynix flash MpxPlaya Dead Players 1 21st Jan 2008 10:12 pm
this site is with virus, my avg detect. WARNING!!! jorgekc Dead Players 5 27th Nov 2007 6:19 pm
oops , just bought this of e bay then found this site. haveibeenconned? General Discussion 7 25th Jul 2007 11:34 am


All times are GMT -7. The time now is 6:05 am.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Back to Top

Designed by indiqo.media