... GET /info.php?idd=1760 Host: antivm.com --- GET /check?pgid=10 Host: www.antivm.com --- GET /percer.php?login=MTc2MA== HTTP/1.1 Host: www.antivm.com --- GET http://www.antivm.com/shop?abc=cGdpZD0xMCZyPTE3NjA=

The update worked for me, so I patched the files. Hope I didn't forget anything (basically it's just string replacements of VBOX, VirtualBox and Oracle). However as stated earlier this will only work for some very basic string detection, so don't relay on just this.

Don't know, I updated it succesfully...

MAXS wrote:@EP_XOFF

Are you going to patch latest 4.2.18 release?

@EP_XOFF

Are you going to patch latest 4.2.18 release?

Patched dlls for Win64 VirtualBox-4.2.14-86644. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.

... drpC . Before decryption Sirefef performs checking if it running inside virtual environment. If we are using public VM's we need to disable antiVM to continue. VMWare antiVM. .00402DE9: 6A0C push 00C .00402DEB: 6800F04200 push 00042F000 --↓1 .00402DF0: E843000000 call .000402E38 --↓2 .00402DF5: ...

... Win32/Daurso JS/Redirector.XX Win32/Dorkbot.A Win32/Ramnit.X Win32/Zwangi Win32/Ifnapod.X In attach original dropper and unpacked patched (removed AntiVM) version.

Thanks for update. It is all very cool but only good for primitive malware. VirtualBox (anyhow moded) can be detected in a few lines of primitive code. This information is not zeroday, it is used in some top class commercial protection software and it is up to Oracle to patch this. 1. Register top l...

Patched DLLs for v4.2.12 (x64) in attach.
I tried to stick to the changes EP_X0FF did, so the signature is broken once again, but the files are working.