Archive for August 26th, 2008

26
Aug

Database Update: 11 Files (Low Detection)

By djpnuemo Comments
Categories: Database Update, Malicious Links and Malware

New malware installers and other files discovered with moderately low detection rate. These were all found today during my research. All of these files are available in our repository under /devnull-malware/. Here is some information about these files.

This post has been edited since yesterday with new binaries.

ALL OF THE URL’S LISTED ARE STILL LIVE! PROCEED AT YOUR OWN RISK!

setup.exe
Result: 7/36 (19.45%)
MD5: 6ddc4dd153ea3c4d190e583c6746d4e9
VirusTotal
ThreatExpert Analysis
hxxp://www.flwhelper.com/download.php?id=1651

AntvrsInstall.exe
Result: 7/36 (19.45%)
MD5: 7b08ee1142aec3912e906515a9ab31b9
VirusTotal
ThreatExpert Analysis

scan_trCRY.exe
Result: 11/36 (30.56%)
MD5: a52711984c1a3ff16fe070517a25facd
VirusTotal
ThreatExpert Analysis
hxxp://de-my-page.info/img/scan_trCRY.exe

setup_110052_3_.exe
Result: 6/36 (16.67%)
MD5: ad8456d442dfe8d5d6aab7e8701c183e
VirusTotal
ThreatExpert Analysis
hxxp://dnld.antivirusdwl.com/load/setup_110052_3_.exe

setup_100554_3_.exe
Result: 1/36 (2.78%)
MD5: 4223a43b972f3dbc837b25505a2d9f3c
VirusTotal
ThreatExpert Analysis
hxxp://dwl.securesoftdl.com/load/setup_100554_3_.exe

codecpack.v.1.0.1021.exe
Result: 4/36 (11.12%)
MD5: 0f97f437530ad44240b2bc921d3ac32c
VirusTotal
ThreatExpert Analysis

viva-codec4118.exe
Result: 10/36 (27.78%)
MD5: 3f9c9c7a324e362e036bd8b161d64df4
VirusTotal
ThreatExpert Analysis
hxxp://viva-codec.com/download/viva-codec4118.exe

viva-codec.v.1.000.exe
MD5: b118b8f19934e41ff058b8ba96d26998
Result: 10/36 (27.78%)
VirusTotal
ThreatExperts Analysis
hxxp://viva-codec.com/download/viva-codec.v.1.000.exe

antivirus.v.1.exe
Result: 1/36 (2.78%)
MD5: ef8b1872f567c8fba3e0188383446206
VirusTotal
ThreatExpert Analysis
hxxp://software-downloadz.com/antivirus.v.1.0.0.exe

crack_keygen.v.0..exe
Result: 1/35 (2.86%)
MD5: bcfc862e116318975e36d220bd0171cd
VirusTotal
ThreatExpert Analysis
hxxp://software-downloadz.com/crack_keygen.v.1.0..exe

LexlibInstaller_1_5198863.exe
Result: 2/36 (5.56%)
MD5: 111917eade7885dc37f7527ca66b239d
VirusTotal
ThreatExpert Analysis
hxxp://xptcodec.com/download/LexlibInstaller_1_4551723.exe

26
Aug

win-antivirus-protect.com – New domain distributing XP Antivirus

By ion Comments
Categories: Database Update

Today we found another domain pushing XP Antivirus.  The domain is hxxp://win-antivirus-protect.com and the file being distributed is scan.exe.  It currently has a 7/36 (19.45%) detection ratio from VirusTotal at the time of our discovery.

winavprotect

File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File MD5
1 %Temp%\.tt1.tmp
%Temp%\.tt6D.tmp		 0 bytes 0xD41D8CD98F00B204E9800998ECF8427E
2 %Temp%\.tt1.tmp.vbs 1,002 bytes 0×9DF700C8F6FD43FAC0A89AEF04214BBD
3 %System%\blphc35dj0erc1.scr 118,784 bytes 0xB10A43B9044B488DC8C7D33B250CFEBB
4 %System%\lphc35dj0erc1.exe 199,168 bytes 0×01EB2601C7A982D72CC5A1AE6C3CBCE7
5 %System%\phc35dj0erc1.bmp 625,208 bytes 0×66FA7A528D4472EBB47D70E8F088B10C
6 %System%\Restore\MachineGuid.txt 78 bytes 0×6331307B7FA1DC849B809B3E89C254CD
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Memory Modifications
  • There were new processes created in the system:
Process Name Process Filename Main Module Size
lphc35dj0erc1.exe %System%\lphc35dj0erc1.exe 892,928 bytes
blphc35dj0erc1.scr %System%\blphc35dj0erc1.scr 831,488 bytes
  • There was a new memory page created in the address space of the system process(es):
Process Name Process Filename Allocated Size
svchost.exe %System%\svchost.exe 45,056 bytes
  • The following system service was modified:
Service Name Display Name New Status Service Filename
srservice System Restore Service “Running” %System%\svchost.exe -k netsvcs
Registry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
    • HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • lphc35dj0erc1 = “%System%\lphc35dj0erc1.exe”

      • so that lphc35dj0erc1.exe runs every time Windows starts

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier]
      • InstallID = “85d938f1-3b2c-48f5-a800-7903eca8a87a”
    • [HKEY_CURRENT_USER\Control Panel\Desktop]
      • ConvertedWallpaper = “%System%\phc35dj0erc1.bmp”
      • SCRNSAVE.EXE = “%System%\blphc35dj0erc1.scr”
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • NoDispBackgroundPage = 0×00000001
      • NoDispScrSavPage = 0×00000001
    • [HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver]
      • EulaAccepted = 0×00000001
  • The following Registry Values were modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
      • DisableSR = 0×00000000
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      • AppData = “%Profiles%\NetworkService\Application Data”
      • Cache = “%Profiles%\NetworkService\Local Settings\Temporary Internet Files”
    • [HKEY_CURRENT_USER\Control Panel\Colors]
      • Background = “0 0 255″
    • [HKEY_CURRENT_USER\Control Panel\Desktop]
      • ScreenSaveActive = “1″
      • Wallpaper = “%System%\phc35dj0erc1.bmp”
      • WallpaperStyle = “0″
      • OriginalWallpaper = “%System%\phc35dj0erc1.bmp”
Other details
  • To mark the presence in the system, the following Mutex objects were created:
    • {A56DECD8-1102-49e9-BFD5-17FBE35197F2}
    • CLqhc15dj0erc1
    • DDrawWindowListMutex
    • DDrawDriverObjectListMutex
    • __DDrawExclMode__
  • The following Host Names were requested from a host database:
    • 2081687.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2089406.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2096484.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2103546.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2110656.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2117718.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2124875.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2131921.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2138953.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2145984.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2153015.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2160062.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2167109.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2174140.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2184906.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2192203.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
    • 2200453.1.14f227775f82d2d8f3deb1d6906ff9ad.chr.santa-inbox.com
  • The data identified by the following URLs was then requested from the remote web server:
    • http://windowsupdate.microsoft.com
    • localhost
    • http://avxp-2008.net/images/1219744523/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744530/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744538/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744545/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744552/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744559/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744566/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744573/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744580/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744587/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744594/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744601/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744608/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744615/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744626/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744633/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
    • http://avxp-2008.net/images/1219744642/14f227775f82d2d8f3deb1d6906ff9ad/85d938f1-3b2c-48f5-a800-7903eca8a87a.gif
Source: ThreatExpert


 

August 2008
M T W T F S S
« Jul   Sep »
 123
45678910
11121314151617
18192021222324
25262728293031