Author Topic: drive by download site  (Read 5401 times)

0 Members and 1 Guest are viewing this topic.

May 27, 2008, 08:25:58 pm
Read 5401 times

southshore

  • Newbie

  • Offline
  • *

  • 4
I tested out the URL on a test machine of mine and I was infected a file running under C:/. The file itself is only detected by 7 of the scanners on VT. Didn't take much time to look further but I did see some major obfuscation on the pages that the malware directed me to.

advance-actions.com/secure(DOT)cgi?bicjwhud

-SouthShore

May 27, 2008, 08:35:37 pm
Reply #1

dimitribest

  • Special Access
  • Newbie

  • Offline
  • *

  • 1
Hi there,

Pls, could you download Avz4 from http://z-oleg.com/avz4.zip
Run avz.exe and then make this steps: "File" - "Standard Scripts" - "Advanced System Analysis"
The tool will begin to analyze your system. It takes about 3 minutes, then in the same folder you'll find the folder \Logs
Please, compress it and send it to me. I'd like ti get this malicious sample and help you, if you need to desinfect your machine.

The link you sent is broken now  :P

May 27, 2008, 08:38:47 pm
Reply #2

southshore

  • Newbie

  • Offline
  • *

  • 4
Hi there,

Pls, could you download Avz4 from http://z-oleg.com/avz4.zip
Run avz.exe and then make this steps: "File" - "Standard Scripts" - "Advanced System Analysis"
The tool will begin to analyze your system. It takes about 3 minutes, then in the same folder you'll find the folder \Logs
Please, compress it and send it to me. I'd like ti get this malicious sample and help you, if you need to desinfect your machine.

The link you sent is broken now  :P

Sorry I should have been more clear. I am not infected. I am a geek who happened to notice a malicious page on the web and I was submitting it to be part of the list of known malicious domains.

May 28, 2008, 12:19:11 am
Reply #3

sowhat-x

  • Guest
I also couldn't manage to get it...
so I assume that it passes different variables to the 'infected' cgi everytime it is accessed,
depending on user agent/ip address or so...
Googling brought the following results though:
http://cygnus.livejournal.com/2008/05/25/
http://profilesblog.com/?p=45

Irrelevant (or maybe not?)...while searching for the above "Zinaps" thingy,
I also stumbled upon this post in Digg...Zlob social engineering:
Quote
hxxp://watchz.info/avi/?v=Watch-out-for-Zinaps-Antispyware-p3
hxxp://vidscollections.com/m6/movie1.php?id=1923&n=cumshot
hxxp://www.flwupdate.com/download.php?id=1923
-> The malware itself...MD5: 742d7742799ddb590d0b254cf250001e

May 28, 2008, 05:35:00 pm
Reply #4

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks for the domains.