Archive for July, 2008

31
Jul

New site distributing Antivirus2009 Rogue

By lithium Comments
Categories: E-mail, Rogue Software and Thoughts

We found a new site distributing the Antivirus 2009 rogue software today.

**Proceed at your own risk**

Site:  hxxp://antivirus-2009pro.com

File: hxxp://antivirus-2009pro.com/2009/download/77001106/AV2009Install.exe
Results for antivirus-2009pro.com:

Domain Name: ANTIVIRUS-2009PRO.COM

Creation Date: 30-Jul-2008
Expiration Date: 30-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin        (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Antivirus 2009 Rogue

30
Jul

investigated #winxp-antivirus.com #mortgage-e.biz

By lithium Comments
Categories: Database Update, Malicious Links, Malware and Rogue Software

Took a look at the mortgage-e.biz redirection URL that I blogged about (earlier) today. I found a few of the domains hosting malicious binaries and have included the information below. All of the files I collected have been uploaded to the Malware Database under /Malware/lithium-malware.

URL: hxxp://www.winxp-antivirus.com (redirected)

In charge of redirection: hxxp://mortgage-e.biz/in.cgi

GET /in.cgi?19 HTTP/1.1
Host: mortgage-e.biz

“”
</html>
</head>
</meta http-equiv=”REFRESH” content=”1; URL=’hxxp://mortgage-e.biz/in.cgi?2′”>
</head>
</body>
document moved <a href=”hxxp://mortgage-e.biz/in.cgi?2″>here</a>
</body>
</html>

Some of the domains currently redirected by mortgage-e.biz: **Proceed at your own risk**

Continue reading ‘investigated #winxp-antivirus.com #mortgage-e.biz’

29
Jul

Malspam Campaign Still Going Strong

By djpnuemo Comment
Categories: Database Update, E-mail, MalSpam, Malicious Links and Malware

The spamming campaign that has hit us full force is pushing the file get_flash_update.exe. Most AV’s at this point have detected this file so hopefully it shouldn’t cause much havoc. I wanted to post the emails we’ve received and the domains that are hosting this malware.

VirusTotal shows 31/35 detection and you can click the link for more details. Of course this file is available in our repository in pnuemo-malware/Classified/Trj-Exchanger.S.zip.

Warning: These sites are still live as of 7/29 10:22a PST. Proceed at your own risk!

hxxp://ankaraspor.com.tr/default.html
hxxp://cit-inc.net/default.html
hxxp://grupoestudio.com/default.html
hxxp://www.dianagraf.es/default.html
hxxp://venhuis.de/default.html
hxxp://grupoestudio.com/default.html
hxxp://ebberov.homepage.dk/default.html
hxxp://madosma.com/default.html
hxxp://warinsa.com/default.html
hxxp://www.czareksu.pl/default.html
hxxp://heimerpara.de/default.html

Read more for the email subjects and bodies we’ve received.
Continue reading ‘Malspam Campaign Still Going Strong’

29
Jul

New URL redirecting to malicious codec (VIDEO)

By lithium Comments
Categories: Codec, Malicious Links and Malware

We have detected a new URL promoting various malicious “codec” binaries.

Update Here (7/30/08)

URL: hxxp://winxp-antivirus.com (Proceed at your own risk)

The first site we were redirected to prompted us to download wmcodec_upgrade.exe and upon running that the following files were created:

C:\WINDOWS\system32\RichVideoCodec.dll
C:\Program Files\RichVideoCodec\escan.exe
C:\Program Files\RichVideoCodec\InstallRegerLib.dll
C:\DOCUME~1\User\LOCALS~1\Temp\nsw8.tmp\System.dll
Source: SunBelt Sandbox

VirusTotal: Result: 6/35 (17.14%)

Upon reloading winxp-antivirus.com we were redirected over to porntubev20.com and prompted to download a codec to watch pornography clips.

The codec file for porntubev20.com pointed to hxxp://codechost.com/codecpack.v.1.0.89.exe

VirusTotal: Result: 11/35 (31.43%) (3 suspicious)

You may see a video of our encounter here: (Pornography omitted)

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here.

26
Jul

New Antivirus XP 2008 (VIDEO)

By lithium Comments
Categories: Database Update, Malicious Links and Rogue Software

This morning we detected two new sites promoting a new version of the Antivirus XP 2008 rogue. We have captured a video of our encounter for your viewing. The file has been added to the Malware Database under /Malware/lithium-malware.

Sites hosting the rogue software: *proceed at your own risk*
hxxp://antivirusxp-08.com
hxxp://antivirusxp-2008.com

JoeBox Sandbox Report: here

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here.

Removal:

Remove this threat with MalwareBytes!

VirusTotal:
File AntivirusXP2008Installer.exe received on 07.26.2008 19:56:35 (CET)
Result: 7/35 (20.00%)

File size: 1399061 bytes
MD5…: e979fb2eb504972ed87ad3c825ec6c2c
SHA1..: 7a927cfa6d413f66da1ae05f668ce85b3547aaf2
SHA256: 9d45ae1d8d3749efbe72b24bc20142e8c55b88a0733a45e5fe8579cf24981f33
SHA512: df1b55bff5fdee03cd77d59befe5ccfef555100605f7e9782e0a90e21ad6f67c
92bdf925e2844d042c9da48e1c05eb4970460683aebbec2bf5a3f9cf6341bee6
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×403225
timedatestamp…..: 0x47acc8b2 (Fri Feb 08 21:25:06 2008)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0×7000 0×1190 0×1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0×9000 0x1af98 0×400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0×24000 0xb000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x2f000 0x1b58 0x1c00 3.57 cb651807c2efbaffbd00e8c2e09bc37f
26
Jul

Multiple files added to database

By djpnuemo Comments
Categories: Database Update and Malware

Here are some new files added to the database (pnuemo-malware/Unclassified). I’m not going to post all the Virustotal information because it would look awful.  Click on the links to see them.

15ml.exe
Additional information (JoeBox)
Virustotal: Result: 8/35

flash.exe
Additional information (JoeBox)
Virustotal: Result: 12/34

spacecodec.v.1.402.exe
Additional information (JoeBox)
Virustotal: Result: 13/34

WebSoftCodecDrivern.exe
Additional information (JoeBox)
Virustotal: Result: 6/34

26
Jul

::FAQ Added:: New Member: Alexandru from Romania!

By lithium Comments
Categories: FAQ

We would like to welcome our newest member, Alexandru.  Alexandru is a malware analyst from Romania and he will be providing interesting malware samples to Malware Database.  Welcome to the team Alexandru!

Frequently Asked Questions

A few of our viewers have taken the time to contact me in attempt to get clarification on what it is we actually do at Malware Database and I hope to clear up some confusion with this post.

Who is behind Malware Database?

We are a group of security professionals and a few hobbyists who each contribute to a private distributed database of malicious binaries.

Can I join?

Yes! You may join our team if you meet the following criteria.

  • Your identity must be verifiable, somehow.  If you work as a professional security analyst and do not wish to disclose your identity on our website then that is OK.  We promise not to make that information public but we still must know your true identity.  No exceptions.
  • You must contribute in some way.  (E.g. malware samples, analysis, coding, writing articles, etc)
  • Let us know why you would like to join the MDB team and how it will help you.
  • Friendly people only!  If you have a bad attitude or just have a holier than thou attitude we do not want to hear from you.  This world has enough assholes and we try our best to keep them out of our community.

Where do you get your samples?

From our contributing members, of course.  Just kidding.  Various low and high interaction honeypots/clients, spam traps, etc operated individually by our group members.  Also, hunting.

“I want to hax0r my friends co…”

Go away, please.

If you have additional questions or if you would like to request membership please feel free to contact me at lithium@malwaredatabase.net.

26
Jul

File Added: kdejw.exe (7de3a91ed9b7fa5c7d44874942dab3b8)

By djpnuemo Comments
Categories: Database Update and Malware

Another file collected. Available in pnuemo-malware/Unclassified

Additional information (JoeBox)
Virustotal:

File size: 51712 bytes

MD5…: 7de3a91ed9b7fa5c7d44874942dab3b8
SHA1..: e08aaab21e5c60277a13c224bc164344506a71c7
SHA256: 3dac25133db3d379b04f63d1fdb37a23475a424b2717cb3e219484afe094a360
SHA512: 3788e47a85ba270735994ee5de7a764c96a2909bce7997f921a77b8b52f06b3c
55d8860426d2691e3e9cd62ba186d53e25355048018f8f5bd6acd93b6d176d51
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×401028
timedatestamp…..: 0×0 (Thu Jan 01 00:00:00 1970)
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0×1000 0xf7e 0×600 5.76 0066f4fad97f809f8acd6f25e05b6a2a
.text 0×2000 0x2c4f 0×2200 7.21 fa49bf90d9a0c765d1f92ef76355fff0
.rdata 0×5000 0xf68 0×200 1.14 3c802c0313cc5e871071eff087fa59a2
.rsrc 0×6000 0xfe11 0x9c00 7.99 d6c291427ff4792d17a434f37adff506

( 2 imports )
> user32.dll: MessageBoxA
> kernel32.dll: ExitProcess

( 0 exports )

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

July 2008
M T W T F S S
« Jun   Aug »
 123456
78910111213
14151617181920
21222324252627
28293031