« previous next »
Pages: [1]   Go Down

Author Topic: rogue anti virus  (Read 3566 times)

0 Members and 1 Guest are viewing this topic.

November 16, 2009, 07:18:45 am
Read 3566 times

crunchtime

  • Special Access
  • Full Member
  • Offline
  • *
  • 54
rogue anti virus
Samples:
hxxp://193.169.12.53/bin/576.exe
hxxp://193.169.12.53/bin/trt.exe

VirusTotal:
File 576.exe received on 2009.11.16 07:02:54 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/41 (7.32%)

ThreatExpert Report:
http://www.threatexpert.com/report.aspx?md5=e2af8db39f9086e3d74d572328b1ad0d
Logged
November 16, 2009, 09:08:13 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: rogue anti virus
Today I got some information (thanks Mark) where those files come from.

An exploit kit at
Code: [Select]
kulibaka.com/documents/?s=572or
Code: [Select]
novadeva.com/documents/?s=572
starts a dropper that downloads these files.

http://www.malwaredomainlist.com/mdl.php?search=193.169.12.53&colsearch=All&quantity=50
Logged
Ruining the bad guy's day
November 19, 2009, 04:57:47 pm
Reply #2

crunchtime

  • Special Access
  • Full Member
  • Offline
  • *
  • 54
Re: rogue anti virus
Another sample:
hxxp://91.212.226.178/setup_233.exe

VirusTotal results:
File setup_233.exe received on 2009.11.19 11:18:48 (UTC)
Current status: finished
Result: 15/37 (40.54%)

Anubis report:
http://anubis.iseclab.org/?action=result&task_id=1f122e7364354542419658086502be9e9
Logged
December 07, 2009, 01:09:26 am
Reply #3

crunchtime

  • Special Access
  • Full Member
  • Offline
  • *
  • 54
Re: rogue anti virus
Logged
December 07, 2009, 04:00:07 am
Reply #4

CkreM

  • Special Access
  • Hero Member
  • Offline
  • *
  • 567
Re: rogue anti virus
Quote from: crunchtime on December 07, 2009, 01:09:26 am
Another Sample:
hxxp://222.73.218.83/pn.exe

VirusTotal Results:
http://www.virustotal.com/analisis/dd2810312869e4adce1f3503007f2f9ed2063a0e65127e16135e2c7b8bfeed46-1260147761

Its Qhost, changing the hosts file to:
Code: [Select]
89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca
89.149.210.109 www.google.com.au
89.149.210.109 www.google.nl
89.149.210.109 www.google.co.za
89.149.210.109 www.google.be
89.149.210.109 www.google.gr
89.149.210.109 www.google.at
89.149.210.109 www.google.se
89.149.210.109 www.google.ch
89.149.210.109 www.google.pt
89.149.210.109 www.google.dk
89.149.210.109 www.google.fi
89.149.210.109 www.google.ie
89.149.210.109 www.google.no
89.149.210.109 search.yahoo.com
89.149.210.109 us.search.yahoo.com
89.149.210.109 uk.search.yahoo.com
which then redirect to fake porn sites when searching google/yahoo
Code: [Select]
http://realtubeworld.com//pornstars/xmovie.php
Logged
Mal-Aware
Pages: [1]   Go Up
« previous next »