Here is a fresh round of malware found over the last couple of days. All information about them is listed. They are available /pnuemo-malware/.
Websites are still live, proceed at your own risk!
us.txt (Rename to .exe to install)
Result: 7/36 (19.45%)
MD5: 2ba4acadfb372ea3a29874afe46cf6d4
VirusTotal
ThreatExpert Analysis
hxxp://lolika.cn/docs/us.txt
us4.txt (Rename to .exe to install)
Result: 5/36 (13.89%)
MD5: 6a732d670ff5b0fc0f5d220f0e8fb332
VirusTotal
ThreatExpert Analysis
hxxp://lolika.cn/docs/us.txt
CalcRFC.exe | CalcImpSAT.exe | CalsRT58.exe
Result: 1/36 (2.78%)
MD5: daef83cdf59d4bf97d2e220c0689cd1b
VirusTotal
ThreatExpert Analysis
hxxp://art.creativity.edu.tw/images/avatar/users/
hxxp://schooldog.com/bbs/skin/sara_bbs/
videporn920ma.exe
Result: 23/36 (63.89%)
MD5: 1e5e45f5fa77546b0628a41fc37176fd
VirusTotal
ThreatExpert Analysis
hxxp://camp.ro/videporn920ma.exe
CleanerInstaller.exe
Result: 16/36 (44.45%)
MD5: d3dfcc09e20af294bce88d5b50996ead
VirusTotal
ThreatExpert Analysis
hxxp://download.secureexpertcleaner.com/CleanerInstaller.exe
TotalSecure2009.exe
Result: 4/35 (11.43%)
MD5: 02a18d7e8dc15a53b8830bdcd68e7fe4
VirusTotal
ThreatExpert Analysis
hxxp://gettotalsec2008.com/TotalSecure2009.exe
setup_110084_3_.exe
Result: 4/35 (11.43%)
MD5: 0b429e47169219edd3a21d7845355ec0
VirusTotal
ThreatExpert Analysis
hxxp://dnld.winsecuritydl.com/load/setup_110084_3_.exe
setup_1_506_.exe
Result: 14/36 (38.89%)
MD5: 852eaacfb096afe7b72fe04cebe3612d
VirusTotal
ThreatExpert Analysis
hxxp://dnld.getwsp.com/load/setup_1_506_.exe
wotcodec.v.1.000.exe
Result: 18/36 (50%)
MD5: 905c85ab50f200dd0229cc93e055ed5a
VirusTotal
ThreatExpert Analysis
hxxp://wotcodec.com/download/wotcodec.v.1.000.exe
It’s no surprise that there is a slew of pornographic websites that spread malware. This one is a rip-off of an adult website that takes after a very popular website YouTube. This fake page has comments just as the real one would or like YouTube would. They are keeping up with the times by spreading new variants with low detection. This one in particular is undetected by all AV’s except for one heuristic catch. This file is available in /pnuemo-malware/ in our repository.
codec.v.1.0.exe Result: 1/36 (2.78%)
MD5: 611430330319db5ce1ff98b6293576f7
VirusTotal
ThreatExpert Analysis
Removal:
Note: This site is advertising Rogue “Fake” Anti-malware software. Do not purchase, download, or install the software!
Sites:
- hxxp://xp-protections.com
- hxxp://xp-registration.com
- hxxps://xpprotectionsoftware.com
Files:
- XPantivirus2008_v40002.exe
- MD5: 3A8181353BE69C8FF862BA589C551DE5
- VirusTotal Result: 19/35 (54.29%)
While stepping through malicious domains I noticed that the “International Virus Research Lab” (IVRL) pages for XP Antivirus 2008 had changed hashes. I was looking at hxxp://bestantivirus2009.com at the time and noticed the inclusion of an IFRAME pointing to hxxp://huytegygle.com/index.php.
I took a look at the IFRAME and found the following obfuscated javascript.
After attempting a few exploits the code eventually leads us to hxxp://huytegygle.com/bin/file.exe which has a low (7/36 and mostly heuristic) detection rate @ VirusTotal. The file has been made available inside /lithium-malware/.
File: file.exe [ThreatExpert]
File size: 8192 bytes
MD5…: a2a6455a4da0192fb8efe85e98fd3dfa
SHA1..: a9a65198cf692a306be1e23c9e965549b7294b26
SHA256: 92255343407bf219f094bec01ac7750cf82869741d6fb5c27967624ce0e6bc80
SHA512: 2b9a1c7b33e80bdfc213be9d3dfbeb7491ede790045c5aec15ec55bd686c9787
d2b19420f8058286c286375db2bee84e55d101c42f99a03a92010691e0b8eeb9
PEiD..: -
