Author Topic: Paypal malware modifies hosts file  (Read 3603 times)

0 Members and 1 Guest are viewing this topic.

March 31, 2010, 05:06:50 pm
Read 3603 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Someone reported malware on

Code: [Select]
esdem.net/updatePayPal.scr
This malware modifies hosts file and adds these entries.

Code: [Select]
206.217.196.222 www.paypal.com
206.217.196.222 paypal.com
206.217.196.222 www.paypal.com.au
206.217.196.222 paypal.com.au
Then it opens Paypal page in a new browser window.

Detection is low. VT 5/42

http://www.virustotal.com/analisis/6fd5fdb3ae861dd4bebbf7f00bf084e0799d5513364cbcff597782823f09a1d9-1270054871


http://camas.comodo.com/cgi-bin/submit?file=6fd5fdb3ae861dd4bebbf7f00bf084e0799d5513364cbcff597782823f09a1d9

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12058167&cs=B3BD81C17CC5A5C62A9DC2921D8A775D
Ruining the bad guy's day

April 01, 2010, 02:46:52 pm
Reply #1

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Hi,

Just reversed this malicious application, here the link:

http://evilcodecave.blogspot.com/2010/04/paypal-malware-fake-update-analysis.html

Regards,
Giuseppe 'Evilcry' Bonfa'
Deep Root Never Freezes - Tolkien