Malware Database

There are more and more fake PornTube websites appearing these days. They’re being installed on unsuspecting webservers that have vulnerable software on them. They are usually uploaded through SQL injection exploits. Here is a look again at these fake sites.

BE ADVISED: The URL’s listed may still be live. Proceed at your own risk. Files available in /pnuemo-malware/.

The user will be directed to the initial page which will instantly redirect them to the next page, which is always the same.

hxxp://domain.com/index1.php -> hxxp://domain.com/index14.php

The landing page has a replica of the website PornTube and instantly starts the download of a file.

Unfortunately you can’t view the full video unless you download the file.

As you can see from this picture, the link just below the ‘video’ links directly to the malware.

pornivideo03y45i.exe
Result: 7/36 (19.45%)
MD5: 56b5c7a106e9b993dd37b1523a74b5d6
VirusTotal

Domains hosting fake sites (UPDATED 10/12):

hxxp://www.orchestragruppo70.it/index1.php
hxxp://daka.hr/index1.php
hxxp://strazny.cz/index1.php
hxxp://handballfondi.it/index1.php
hxxp://sh-cap.net/index1.php
hxxp://www.granadapadel.com/index1.php
hxxp://www.safe.com.ve/index1.php
hxxp://tdimc.com.ar/index1.php
hxxp://www.garagentore-frawia.de/index1.php
hxxp://brassnuts-brassbolts.com/index1.php
hxxp://www.granjasdongil.com.mx/index1.php
hxxp://jorgelopezdj.com/index1.php
hxxp://decomarmolcuenca.es/index1.php
hxxp://fincaschicote.com/index1.php
hxxp://asembli.com/index1.php
hxxp://planet-bitch.de/index1.php
hxxp://www.gaudihouse.com/index1.php
hxxp://www.worldbakers.com/index1.php
hxxp://columnacafenegro.com/index1.php
hxxp://geoteam.sk/index1.php
hxxp://touchnfeel.kr/index1.php
hxxp://stress-relief-tips.net/index1.php
hxxp://hallenfussballfestival.de./index1.php
hxxp://momoelectronic.com/index1.php
hxxp://steinbergyasociados.com/index1.php
hxxp://moviendola.com/index1.php
hxxp://fauteuils-massage.fr/index1.php

Files Created:

%system%\CbEvtSvc.exe

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000\Control]
    • *NewlyCreated* = 0×00000000
    • ActiveService = “CbEvtSvc”
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC\0000]
    • Service = “CbEvtSvc”
    • Legacy = 0×00000001
    • ConfigFlags = 0×00000000
    • Class = “LegacyDriver”
    • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
    • DeviceDesc = “CbEvtSvc”
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC]
    • NextInstance = 0×00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum]
    • 0 = “Root\LEGACY_CBEVTSVC\0000″
    • Count = 0×00000001
    • NextInstance = 0×00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc]
    • Type = 0×00000010
    • Start = 0×00000002
    • ErrorControl = 0×00000001
    • ImagePath = “%System%\CbEvtSvc.exe -k netsvcs”
    • DisplayName = “CbEvtSvc”
    • ObjectName = “LocalSystem”
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control]
    • *NewlyCreated* = 0×00000000
    • ActiveService = “CbEvtSvc”
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000]
    • Service = “CbEvtSvc”
    • Legacy = 0×00000001
    • ConfigFlags = 0×00000000
    • Class = “LegacyDriver”
    • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
    • DeviceDesc = “CbEvtSvc”
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC]
    • NextInstance = 0×00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum]
    • 0 = “Root\LEGACY_CBEVTSVC\0000″
    • Count = 0×00000001
    • NextInstance = 0×00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security]
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc]
    • Type = 0×00000010
    • Start = 0×00000002
    • ErrorControl = 0×00000001
    • ImagePath = “%System%\CbEvtSvc.exe -k netsvcs”
    • DisplayName = “CbEvtSvc”
    • ObjectName = “LocalSystem”

• The following Registry Values were modified:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
    • (Default) = 0×0000000C
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
    • (Default) = 0×0000000C

Removal:

Remove this threat with MalwareBytes!