Author Topic: education  (Read 3138 times)

0 Members and 1 Guest are viewing this topic.

April 20, 2009, 08:00:23 am
Read 3138 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
It is okay to post http://... here because we know what we are doing and they aren't hot links.  But something like this:

http://antispamfilterblocker.com/2009/03/page/6/
hxxp://claitors.com/gifs/novo.php

IS HOT (I prepended a "hxxp://" to set a good example).  It will give people a VisualBasic Trojan mini-downloader.  So please educate people to replace the "http://" with "hxxp://" or prepend a "hxxp://" to hosts with the just the host name to deaden the link if the links are hot.  I guess it could have been worse in the past but:

http://www.virustotal.com/analisis/7aa53fc0837d918b14f2bddc0d6aa92f

If I had Authentium, ClamAV, eSafe, F-Prot, or Rising I would still be in trouble!  The embedded host is www.agrimat.com.br.  I don't know the rest of the URL.  It responds to an ICMP ping but there seems to be no index.html, at least on port 80.  You will have to disect the file to see what it does with that partial URL:

www.agrimat.com.br
windir
\system32\1046\lsass.exe
/image/barra5.jpg
\system32\1046\spoolsv.exe
/image/barra3.jpg
\system32\1046\ab.exe
/image/barra4.jpg

It is still downloadable - name NovoDocumento1.exe. Long time for me not writing.  Hope to be back soon with goodies.  But beware of Greeks bearing gifts.  Some girls compared me with the Greek God Apollo when I was younger.  I feel more like Sisyphus now ...