Author Topic: fake codec  (Read 3256 times)

0 Members and 1 Guest are viewing this topic.

July 26, 2008, 02:59:09 pm
Read 3256 times

Kayrac

  • Guest
starts off here
Code: [Select]
codechost.com/codecpack.v.1.0.0.exe
then promptly downloads

Code: [Select]
http://softupdat.com/advset/setup0.exe
http://softupdat.com/bho/get_ie.php?pin=0
http://softupdat.com/download/scan.exe
http://softupdat.com/promo/promomodule1.exe

side note, it downloads this
Code: [Select]
http://stat.avxp08.com/soft3/common/14.gifwhen visiting, you get a weird picture, dunno why it would be dling that


i THINK thats all it downloads, but it could dl more

July 26, 2008, 09:31:06 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks.

July 27, 2008, 05:25:15 am
Reply #2

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
in a spam mail today:
hxxp://menudopiso.com/avi_1/avi.php
--> hxxp://195.93.219.253/hotvideo.avi.exe (md5: a41103ce9f4797c7b391101718eda84c)

request::
hxxp://avxp-08.com/images/1217131846/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.gif
--> hxxp://stat.avxp-08.com/soft3/common/14.gif
      filetype: 14.gif: GIF image data, version 89a, 100 x 100
      md5: e6c0774ddfcbf243332e591f8cbe01ea

register itself at webserver:
hxxp://avxp-08.com/images/1217131852/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.ok?id=14
reply: OK

submit data (sys info etc):
POST /log2.php?affid=687a874463df9e3b7abb1f2150607f7a&uid=a061d6e4-7728-4a0f-837e-28a1fc9c9440&tm=1217131852 HTTP/1.1
Host: www.winifixer.com

request:
hxxp://avxp-08.com/images/1217132453/687a874463df9e3b7abb1f2150607f7a/a061d6e4-7728-4a0f-837e-28a1fc9c9440.gif
-> status code 404, not found

from now on the last two requests (submitting data and downloading nonexistent image) are made about every 10 minutes.

in between, the following request is made, probably to make the whole thing look 'legit':
hxxp://www.avxp-08.com/updates/check.html
reply:
<pre>
APP_VER=3.5.1.20
DATABASE_VER=3.5.1.20
SIGNATURES=60532
DATE=17/12/07
</pre>


edit:
i am posting this here, because it is a very similar behaviour as that described by Kayrac. while not using the exact same hosts it still seems related.