Author Topic: rogue anti virus  (Read 3566 times)

0 Members and 1 Guest are viewing this topic.

November 16, 2009, 07:18:45 am
Read 3566 times

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Samples:
hxxp://193.169.12.53/bin/576.exe
hxxp://193.169.12.53/bin/trt.exe

VirusTotal:
File 576.exe received on 2009.11.16 07:02:54 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/41 (7.32%)

ThreatExpert Report:
http://www.threatexpert.com/report.aspx?md5=e2af8db39f9086e3d74d572328b1ad0d

November 16, 2009, 09:08:13 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Today I got some information (thanks Mark) where those files come from.

An exploit kit at
Code: [Select]
kulibaka.com/documents/?s=572or
Code: [Select]
novadeva.com/documents/?s=572
starts a dropper that downloads these files.

http://www.malwaredomainlist.com/mdl.php?search=193.169.12.53&colsearch=All&quantity=50
Ruining the bad guy's day

November 19, 2009, 04:57:47 pm
Reply #2

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Another sample:
hxxp://91.212.226.178/setup_233.exe

VirusTotal results:
File setup_233.exe received on 2009.11.19 11:18:48 (UTC)
Current status: finished
Result: 15/37 (40.54%)

Anubis report:
http://anubis.iseclab.org/?action=result&task_id=1f122e7364354542419658086502be9e9

December 07, 2009, 01:09:26 am
Reply #3

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54

December 07, 2009, 04:00:07 am
Reply #4

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Another Sample:
hxxp://222.73.218.83/pn.exe

VirusTotal Results:
http://www.virustotal.com/analisis/dd2810312869e4adce1f3503007f2f9ed2063a0e65127e16135e2c7b8bfeed46-1260147761

Its Qhost, changing the hosts file to:
Code: [Select]
89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca
89.149.210.109 www.google.com.au
89.149.210.109 www.google.nl
89.149.210.109 www.google.co.za
89.149.210.109 www.google.be
89.149.210.109 www.google.gr
89.149.210.109 www.google.at
89.149.210.109 www.google.se
89.149.210.109 www.google.ch
89.149.210.109 www.google.pt
89.149.210.109 www.google.dk
89.149.210.109 www.google.fi
89.149.210.109 www.google.ie
89.149.210.109 www.google.no
89.149.210.109 search.yahoo.com
89.149.210.109 us.search.yahoo.com
89.149.210.109 uk.search.yahoo.com

which then redirect to fake porn sites when searching google/yahoo
Code: [Select]
http://realtubeworld.com//pornstars/xmovie.php
Mal-Aware