Archive for July 29th, 2008

29
Jul

Malspam Campaign Still Going Strong

By djpnuemo Comment
Categories: Database Update, E-mail, MalSpam, Malicious Links and Malware

The spamming campaign that has hit us full force is pushing the file get_flash_update.exe. Most AV’s at this point have detected this file so hopefully it shouldn’t cause much havoc. I wanted to post the emails we’ve received and the domains that are hosting this malware.

VirusTotal shows 31/35 detection and you can click the link for more details. Of course this file is available in our repository in pnuemo-malware/Classified/Trj-Exchanger.S.zip.

Warning: These sites are still live as of 7/29 10:22a PST. Proceed at your own risk!

hxxp://ankaraspor.com.tr/default.html
hxxp://cit-inc.net/default.html
hxxp://grupoestudio.com/default.html
hxxp://www.dianagraf.es/default.html
hxxp://venhuis.de/default.html
hxxp://grupoestudio.com/default.html
hxxp://ebberov.homepage.dk/default.html
hxxp://madosma.com/default.html
hxxp://warinsa.com/default.html
hxxp://www.czareksu.pl/default.html
hxxp://heimerpara.de/default.html

Read more for the email subjects and bodies we’ve received.
Continue reading ‘Malspam Campaign Still Going Strong’

29
Jul

New URL redirecting to malicious codec (VIDEO)

By lithium Comments
Categories: Codec, Malicious Links and Malware

We have detected a new URL promoting various malicious “codec” binaries.

Update Here (7/30/08)

URL: hxxp://winxp-antivirus.com (Proceed at your own risk)

The first site we were redirected to prompted us to download wmcodec_upgrade.exe and upon running that the following files were created:

C:\WINDOWS\system32\RichVideoCodec.dll
C:\Program Files\RichVideoCodec\escan.exe
C:\Program Files\RichVideoCodec\InstallRegerLib.dll
C:\DOCUME~1\User\LOCALS~1\Temp\nsw8.tmp\System.dll
Source: SunBelt Sandbox

VirusTotal: Result: 6/35 (17.14%)

Upon reloading winxp-antivirus.com we were redirected over to porntubev20.com and prompted to download a codec to watch pornography clips.

The codec file for porntubev20.com pointed to hxxp://codechost.com/codecpack.v.1.0.89.exe

VirusTotal: Result: 11/35 (31.43%) (3 suspicious)

You may see a video of our encounter here: (Pornography omitted)

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here.



 

July 2008
M T W T F S S
« Jun   Aug »
 123456
78910111213
14151617181920
21222324252627
28293031