Malware Database

Today I came across a site (downloadmalware.com) and I initially thought that it was just an interesting title for a site similar to Malware Database. So anyway… I visit this site and what do I find?

I briefly skimmed through the page and found some super crazy story about how they want to stop viruses by injecting their malware into your system. HUH?! After reading this story in pure disgust I eventually came across a link to a live malware executable of the vundo family.

Read the excerpt from the site below. My comments are in red.

Everyone knows that it’s no fun getting a virus, and viruses can be obtained by doing basically anything on the internet. That’s why we created Malware, in order to finally put a stop to constant viral infections on your personal computer.

Malware to stop viruses, eh? That’s some class A BS right there!

We have many competitors, and they may be more popular than us, but at some point in this company’s career, we will surpass them.

Which point would that be?

It’s all about persistence and determination, and I would know because I just wrote an essay about that.

Our Approach: As stated on the main page, our methods of preventing viruses are very similar to how the common flu is prevented. We inject your computer with a small ‘virus‘ so that your computer can build up an immunity to all viruses in general.

A “flu shot” malware to prevent further infections? Just when you thought their bullshit scams were bad!! This is a whole new league of doucheness!

In the past, technology was incapable of developing a program like this, but thanks to new dreamweaver technology by adobe, millions of users around the world are now protected from the most deadly computer viruses.

Huh?

To, Delve into the Situation Further: Our malware program includes a packaged installer. This packaged installer contains two separate files. One of these files is full of little bits of viruses, and the other package contains the white blood cells of nanotechnology. After the virus is installed, the Wano Cells (White-Nano-Cells) are released into the computer’s data stream. The Wano’s are programmed to seek, analyze, and destroy any form of virus that your computer might have. This super advanced sense of analyzition is almost like human instinct, and is the future of virus prevention and removal!

Holy crap! You guys are fscking crazy! They also seem to think that their malware has Chuck Norris strength!

File: Malware.exe
Creates:

• %Temp%\removalfile.bat
• %System%\qoMgddCr.dll –> injected to explorer.exe
• %System%\ssqQjJYq.dll
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}\InprocServer32
  • (Default) = “%System%\qoMgddCr.dll”
  • ThreadingModel = “Both”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
  • Time = D0 AF 9A 53 FF 30 C9 01 00 00 00 00
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMgddCr
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  • {420959A7-1B3F-49EE-848E-6DE631A39223} = “”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMgddCr]
  • Asynchronous = 0×00000001
  • DllName = “qoMgddCr.dll”
  • Impersonate = 0×00000000
  • Logon = “o”
  • Logoff = “f”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
  • (Default) = “8908679E25944863A713F954075BFF50&”
• [HKEY_CURRENT_USER\Software\Microsoft\Installer]
  • (Default) = 16 55 C3 53 FF 30 C9 01

Modifies:

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
  • 1A10 = 0×00000000
  • {AEBA21FA-782A-4A90-978D-B72164C80120} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A
  • {A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A

VirusTotal: Result: 7/36 (19.44%)
File size: 50176 bytes
MD5…: fd877051a26132ccb53c06fe00ab1209
SHA1..: 635d5e20f27d52de168aa4c9ecbe233a88de8d88
SHA256: 0d91a0551e0727029775c67432895ac4b650275bfc4c165e6d2e9ebf9b6b3fa6
SHA512: 7ec31c6ca83d8fc7c79ab2b558768f5490a957da9e4318c2fb86f9d1d25fed28
4cb6b42460ce3fcc09986bf740165b429dc04119ccfb908868d82b082235dfe9

Removal:

Remove this threat with MalwareBytes!