Author Archive for djpnuemo

15
Nov

Database Update - 19 Files (Low Detection)

By djpnuemo Comments
Categories: Antivirus 2009, Codec, Database Update, Low Detection, Malicious Domains and Malware

Quite a few files added to the database today. As you can see below, these aren’t detected by many AV’s out there.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

A9installer_77024202.exe
Result: 0/36 (0%)
MD5: fd6c1b0cec99796c72213ee330eb7b58
VirusTotal
ThreatExpert Analysis
hxxp://allinone-scanner.com/2009

av_2009.exe
Result: 1/36 (2.78%)
MD5: 4c68e58e317f7111ac147d5279ef23e0
VirusTotal
ThreatExpert Analysis

zcodec.1482.exe
Result: 3/36 (8.34%)
MD5: 9acea07175a11ae690263f9be7828467
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.pc-storesoft.com

doc.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://chanchoi.cn

default.exe
Result: 13/36 (36.12%)
MD5: 58e3a60289854bb435570a14ac3c616e
VirusTotal
ThreatExpert Analysis
hxxp://chanchoi.cn

kryostm.dll
Result: 21/36 (58.34%)
MD5: b8d72237913a95b597583f8f91181ed8
VirusTotal
ThreatExpert Analysis

kryo2.sys & pavtpk.sys
Result: 20/36 (55.56%)
MD5: abbce53fa9411adbd8a870ae9c27a92e
VirusTotal
ThreatExpert Analysis

test.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://onlinestat.cn

file1.exe & U.exe
Result: 4/36 (11.12%)
MD5: 0fe5b393bef43d95f5e86c820097491e
VirusTotal
ThreatExpert Analysis
hxxp://onlinestat.cn

ntos.exe
Result: 4/36 (11.12%)
MD5: fbe5869d3f03108296e10a81e9b7d160
VirusTotal
ThreatExpert Analysis

After multiple runs through a sandbox, these different binaries were downloaded

ntos.exe
Result: 4/36 (11.12%)
MD5: df4f605f59823324cceaf359d46a5d27
VirusTotal
ThreatExpert Analysis

ntos.exe
Result: 5/36 (13.89%)
MD5: fa736d7136176eebfcefd109b33f2e90
VirusTotal
ThreatExpert Analysis

soft.exe
Result: 9/36 (25%)
MD5: dcdd783dd8f84ef8b9a0c8233d152540
VirusTotal
ThreatExpert Analysis

csrss7.dll
Result: 3/36 (8.34%)
MD5: e87c0ab9c96b000f86199118d38539c1
VirusTotal
ThreatExpert Analysis

This also modified the hosts file to block international search engines (AOL, Google, & MSN)

doc.pdf
Result: 12/36 (33.34%)
MD5: 9b3822a11c9e94763150282f0c9b1d01
VirusTotal

default.exe & ~.exe
Result: 8/36 (22.23%)
MD5: 4dcc389638a9cf14972752df79ed0dd6
VirusTotal
ThreatExpert Analysis

nvaux32.exe
Result: 8/36 (22.23%)
MD5: 94d724d0740a3f6a26b624051950b053
VirusTotal
ThreatExpert Analysis

user32.dll
Result: 8/35 (22.86%)
MD5: 5f24060f06fd415314485a66a0be8726
VirusTotal
ThreatExpert Analysis

flash_update.exe (Koobface Facebook Worm)
Result: 7/36 (19.45%)
MD5: f47a95dc8003bb0f206d836b757fa9f3
VirusTotal
ThreatExpert Analysis
hxxp://youtube-cam.com

13
Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active.  Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

12
Nov

EstDomains shut down effective November 24th, 2008

By djpnuemo Comments
Categories: Malicious Domains, Malware and Malware Distribution

I thought it was worth noting that today ICANN finally decided to terminate EstDomains ability to register domains. EstDomains has turned the other cheek to their clients use of their services. The shutting down of some, if not all of their registered domains, will definitely help in slowing down the spread of some new malware. Although the gangs I’m sure have already planned for this and have started to move some of their operations.

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains’ then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains’ RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal.

On 7 November 2008, EstDomains was informed that, based on ICANN’s findings, ICANN was proceeding with the termination of EstDomains’ RAA, effective 24 November 2008.

ICANN’s records indicate that EstDomains manages approximately 281,000 domain names. To protect the interests of registrants, on 28 October 2008, ICANN published a Request for Informations seeking expressions of interest from registrars to receive a bulk transfer of the domain names managed by de-accredited registrar EstDomains.

ICANN is analyzing the responses to that request and will take measures to effectuate a smooth transition of the domain names managed by EstDomains to a qualified ICANN- accredited registrar.

Courtesy of ICANN

12
Nov

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Low Detection, Malicious Domains, Malware and Rootkit

Only a smaller update today. Files available in /pnuemo-malware/. The installers I’ve been collecting are getting nastier and nastier. Keep everything updated!

xloader.exe
Result: 6/36 (16.67%)
MD5: efe48c6ea123b7d5a07f1beaf4b9efb1
VirusTotal
ThreatExpert Analysis
hxxp://adwords.google.com.upload.main.update.kliauj.cn

winlogon.exe
Result: 5/36 (13.89%)
MD5: 6c161cf9aefd577235547a0514ea7336
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 23/36 (63.89%)
MD5: 89bbe87df33a7722ce6bc890023a82c0
VirusTotal
ThreatExpert Analysis

uesiuqcr.exe & svchost.exe
Result: 14/36 (38.89%)
MD5: f74dc617cec41d36aca9ffc793add258
VirusTotal
ThreatExpert Analysis

getfn32.dll
Result: 6/36 (16.67%)
MD5: 98c8c4cc9ae42cbd630fc8c1aec50a50
VirusTotal
ThreatExpert Analysis

smwin32.dll
Result: 6/36 (16.67%)
MD5: 47c4fa178eefe5379856c7d35e953acd
VirusTotal
ThreatExpert Analysis

beep.sys
Result: 32/36 (88.89%)
MD5: e2bba2140204d6e4134828445a9c486c
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 19/36 (52.78%)
MD5: 57841b5c7ed709f6b5ff0027c014083b
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 24/36 (66.67%)
MD5: 26fafa838db23646661bfde34b537059
VirusTotal
ThreatExpert Analysis

l.exe
Result: 12/36 (33.34%)
MD5: 3f052a786ef71d4d9368732f9d25bfdf
VirusTotal
ThreatExpert Analysis
hxxp://worldfirefighter.com/wellstonfd

LDR24.tmp
Result: 18/36 (50%)
MD5: bd336a1191044325d0165b70fecc5520
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 17/36 (47.23%)
MD5: ff22b4365b9d2f8b8940c1558c82effd
VirusTotal
ThreatExpert Analysis

KB908995.exe (TDSServ Rootkit)
Result: 6/36 (16.67%)
MD5: 942aa524ab0de25a6750c5e9772fa387
VirusTotal
ThreatExpert Analysis
hxxp://google-analyze.cn

12
Nov

Fake control panel app installing multiple malware binaries

By djpnuemo Comments
Categories: Database Update and Malicious Links

Came across this nasty bugger today. It installs a few banker trojans, generic trojans, and a rootkit. Below you can see all of the files that it installs on the computer. These files are available in /pnuemo-malware/. Please read our FAQ for access to our repository.

BE ADVISED: These URL’s may still be active.  Proceed at your own risk!

video.cpl
Result: 19/36 (52.78%)
MD5: c87f1736ab9ac5d80a4027b5ba139f7c
VirusTotal
ThreatExpert Analysis
hxxp://amateur-sexy.whyza.net

kodnkwnv.sys
Result: 3/36 (8.34%)
MD5: 4ad5d5229f85f42e873fda98190b2f19
VirusTotal
ThreatExpert Analysis

certificado.exe
Result: 11/36 (30.56%)
MD5: 500a7df333ebe3d1e11d18b08b005e1e
VirusTotal
ThreatExpert Analysis

msnsgs.exe
Result: 17/36 (47.23%)
MD5: f53fea0cef9389535f9df74981527268
VirusTotal
ThreatExpert Analysis

codecs.exe & svchosts.exe & avg.exe
Result: 20/36 (55.56%)
MD5: 7b51419b022709cffec32fa24a23f510
VirusTotal
ThreatExpert Analysis

nppagent.exe
Result: 13/36 (36.12%)
MD5: 91f4c75a4f000f3b5bdc2cd74fb5d0d8
VirusTotal
ThreatExpert Analysis

outlok.exe
Result: 24/36 (66.67%)
MD5: 4dd0afcca8764bce567ebd853f022db7
VirusTotal
ThreatExpert Analysis

sounds.exe
Result: 11/35 (31.43%)
MD5: 0fba190253a84d28d022008ee42ea8e5
VirusTotal
ThreatExpert Analysis

sysmod.exe
Result: 11/35 (31.43%)
MD5: 2eb09ac08f87b9c4dd54c9d4be9241cc
VirusTotal
ThreatExpert Analysis

11
Nov

Database Update - 13 Files (Moderate Detection)

By djpnuemo Comments
Categories: Database Update and Malware

Here is an overdue update. I’ve been out of the loop for a bit. These files are of course available in /pnuemo-malware/ and please read the readme once more. I have changed again my cataloging. Sorry about that folks.

I have changed my cataloging again so please have a look at the readme. Also, there is a new feature this week. I have added a list of hashes from files I’ve collected but haven’t highlighted in this post. You can read more below or download the txt file.

AdobeMovie_v312.exe (Downloads or Creates: 9129837.exe & newdrv.sys)
Result: 15/36 (41.67%)
MD5: b362bd8f16d527b630793a520af91c67
VirusTotal
ThreatExpert Analysis

9129837.exe
Result: 28/36 (77.78%)
MD5: 642a588272e9fe723fb2f1dd8fccede5
VirusTotal
ThreatExpert Analysis

new_drv.sys
Result: 35/36 (97.23%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis

doc.pdf (Downloads or Creates: vhosts.exe)
Result: 11/36 (30.56%)
MD5: 7156f4280b8ac9cda47074fb0fc49f86
VirusTotal

vhosts.exe
Result: 19/36 (52.78%)
MD5: 47565702c7796af23a64111e89a5ad91
VirusTotal
ThreatExpert Analysis

gadcom.exe
Result: 19/36 (52.78%)
MD5: ce4dbc7f1d6330ecc0f76f4fd31c3ac5
VirusTotal
ThreatExpert Analysis

file.exe (Downloads or Creates TDSSserv.sys rootkit)
Result: 25/36 (69.45%)
MD5: 40b3a11cd3d2a039dd1c305df1092be8
VirusTotal
ThreatExpert Analysis

install.exe
Result: 23/35 (65.72%)
MD5: 95207d0c1ec805b09ff0d72b67db0625
VirusTotal
ThreatExpert Analysis

figaro.sys & beep.sys
Result: 31/36 (86.12%)
MD5: a59f21ef436c750d259d136913c4be21
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 23/36 (63.89%)
MD5: fc039650b5152a40c5637fcd1abcd4c6
VirusTotal
ThreatExpert Analysis

23.exe (Downloads or Creates: E0D39066.dll & c39e8db.sys)
Result: 31/36 (86.12%)
MD5: da0ff007073da42f3328e16de0b61716
VirusTotal
ThreatExpert Analysis

E0D39066.dll
Result: 30/36 (83.34%)
MD5: 446dbceeaac129665302955c0f67c5f4
VirusTotal
ThreatExpert Analysis

c39e8db.sys
Result: 22/36 (61.12%)
MD5: 09f66bbe922e46f475e600b1110a3acb
VirusTotal
ThreatExpert Analysis

Continue reading ‘Database Update - 13 Files (Moderate Detection)’

25
Oct

Ocean Bank phishing/malware distribution through fake SSL certificate

By djpnuemo Comment
Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis

s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis

new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis

ns1.domensinter.com
ns2.domensinter.com

hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin

24
Oct

Database Update - 28 Files (Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links, Malware, Rogue, Rogue Security Software, Rogue Software and XP AntiSpyware 2009

Here is an update of files from this past week. These files are available in /pnuemo-malware/ in our repository. PLEASE READ UPDATED README.TXT!

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

certificado-3.15.exe
Result: 12/36 (33.34%)
MD5: b249760cd0c1a3b21df8993604efe36b
VirusTotal
ThreatExpert
hxxp://212.98.9.4/Bradesco.com.br/

Flash_Player_9.exe (Downloads or Creates: winexec32.exe & wsys33.exe)
Result: 18/36 (50%)
MD5: f6d3cc53df4a70ee53a9a0a5288834da
VirusTotal
ThreatExpert
hxxp://www.momocortes.com/blog/media/2/

wsys33.exe
Result: 10/36 (27.78%)
MD5: fa0f6781e99d1d78c0d24417cb7b88fd
VirusTotal
Sunbelt Sandbox

exe.exe (Downloads or Creates: vhosts.exe)
Result: 24/36 (66.67%)
MD5: c28f755cdf4863de48659d84c68efab7
VirusTotal
ThreatExpert
hxxp://verynicejob.info/sxe/load.php

02.exe
Result: 8/36 (22.23%)
MD5: 166da263d55d3a06b0bac738ceea769a
VirusTotal
ThreatExpert
hxxp://regect.mobi/

item.gif (Downloads or creates: msxml71.dll)
Result: 7/35 (20%)
MD5: 0a5b198090739429b0e939078517c4d8
VirusTotal
ThreatExpert
hxxp://nessotr-help.com/images/

msxml71.dll
Result: 8/36 (22.23%)
MD5: 46b14c6da49eba5ab1a07bd63b001057
VirusTotal
ThreatExpert

skash.exe (Downloads or creates: figaro.sys, beep.sys, & brastk.exe)
Result: 17/36 (47.23%)
MD5: df565df07afc10489c4b419b1f252158
VirusTotal
ThreatExpert
hxxp://destinationsurfersparadise.com.au/lsi/

beep.sys & figaro.sys
Result: 31/36 (86.12%)
MD5: 14054908c961bb3af74f08fc9dbddeac
VirusTotal

brastk.exe
Result: 17/36 (47.23%)
MD5: 18bc3ea8f0ec094e5a8bacf19e4413b0
VirusTotal
ThreatExpert

serce.php
Result: 7/36 (19.45%)
MD5: 0f3d0ea3905df454581e0c59595f72a6
VirusTotal
ThreatExpert

ex002.exe
Result: 11/36 (30.56%)
MD5: 6f6b2be08feb03f26c84100a24b4891e
VirusTotal
ThreatExpert
hxxp://traff.loadmore.eu/t/l/

setup_1_1_.exe (Installs Pro Antispyware 2009)
Result: 1/36 (2.78%)
MD5: d62c9998be552d4a7189f4c656501e81
VirusTotal
ThreatExpert
hxxp://files.proas2009dl.com/load/

pdf.pdf
Result: 7/36 (19.45%)
MD5: 746f87f5fcf309bc0c5bc422007f3740
VirusTotal
hxxp://svinushka.net/forum/spl/

video20798.cfg
Result: 11/36 (30.56%)
MD5: 1b06e026fdb1fe6e42e66472bae3cc74
VirusTotal
hxxp://lyox-lib.com/addon/

9llCJ4amiU.exe
Result: 10/36 (27.78%)
MD5: 0662482dea0f312e1ed7bfdab7cf86b1
VirusTotal
ThreatExpert
hxxp://78.157.143.225/EX/

video.cfg
Result: 8/36 (22.23%)
MD5: 75dfc5f4c4cbc9367a830d216dec62a4
VirusTotal
hxxp://69.46.24.95/addon/

DivXCodecPKG.7.exe
Result: 2/36 (5.56%)
MD5: f6b635b62fe9a91e9bc0eb01ee827f67
VirusTotal
ThreatExpert
hxxp://softawe-download-forpc.com/

7-v3av.exe (Downloads or Creates: beep.sys, figaro.sys, & brastk.exe)
Result: 12/36 (33.34%)
MD5: aed0e8cb43f48862d89daf441fd844da
VirusTotal
ThreatExpert
hxxp://91.203.92.121/7-v3av.exe

beep.sys & figaro.sys
Result: 30/36 (83.34%)
MD5: b01ed4cec7f0aa6232d49202a71e3a5c
VirusTotal

brastk.exe
Result: 11/36 (30.56%)
MD5: faa1dfd63f02675c4e717c01a476e1f8
VirusTotal
ThreatExpert

setup.exe (Downloads or Creates: getsn32.dll, smwin32.dll, & uesiuqcr.exe)
Result: 11/36 (30.56%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
hxxp://kb960830-sp2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/

getsn32.dll
Result: 5/36 (13.89%)
MD5: a33aa3d2d4f3a78aa51b3bafb9ce34e1
VirusTotal
ThreatExpert

smwin32.dll
Result: 2/36 (5.56%)
MD5: 39f89f98990a946bc31cb0271b2d3e19
VirusTotal
ThreatExpert

uesiuqcr.exe
Result: 12/36 (33.34%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert

b156.exe
Result: 18/36 (50%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert
hxxp://dl2.bundlext.com:8080/get.php

Removal:
Remove this threat with MalwareBytes!

15
Oct

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links and Malware

Here is todays update of malware. Some interesting finds today! As always, the files are available under /pnuemo-malware/ in our repository.

BE ADVISED: The URLs may still be live. Proceed at your own risk.

Serv46.exe & asedf2g2.exe (Downloads/Creates the files: tcpip.sys, MSWINSCK.OCX, asedf2g2.exe, & jhil8.exe)
Result: 11/36 (30.56%)
MD5: ebbbda43a97c73d50adc34803155cc41
VirusTotal
ThreatExpert Analysis
hxxp://58.221.254.219:86/Serv46.exe

MSWINSCK.OCX
Result: 0/36 (0%)
MD5: e8a2190a9e8ee5e5d2e0b599bbf9dda6
VirusTotal

jhil8.exe
Result: 2/36 (5.56%)
MD5: 04d98f36c2a1b79a40c97619c1c3ed31
VirusTotal
ThreatExpert Analysis

tcpip.sys
Result: 1/36 (2.78%)
MD5: 1745b00fc1141404b28f4b94f69a8871
VirusTotal
ThreatExpert Analysis

Psetup.exe (Downloads/Creates the files: newie.exe & msgsvc.dll)
Result: 6/36 (16.67%)
MD5: 812474725260a3646b5f0ecad9602ee5
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824/Psetup.exe

newie.exe
Result: 3/36 (8.34%)
MD5: af619d7871d7dbb4dbd3295c4336d76b
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824

msgsvc.dll
Result: 4/36 (11.12%)
MD5: 103d90d32fcf59b82a2315820bbe7470
VirusTotal
Sunbelt Sandbox

DSC1435.exe (Downloads/Creates the files: DJ12335.exe & D4722.exe)
Result: 11/36 (30.56%)
MD5: d837e1f5ff46c8e51c442690705782fd
VirusTotal
ThreatExpert Analysis

DJ12335.exe
Result: 16/36 (44.45%)
MD5: a5785c6cc41bcd48b94d8bf2477c9004
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

D4722.exe (Downloads/Creates the files: Windows32.exe)
Result: 14/36 (38.89%)
MD5: a267139ce72faff6e05394792b031e49
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

Windows32.exe
Result: 13/35 (37.14%)
MD5: c1a850a6c0946a3a970715968279236b
VirusTotal

showsoft.exe
Result: 4/36 (11.12%)
MD5: a2c091f45b4319ba2aeba3527c50db73
VirusTotal
ThreatExpert Analysis
hxxp://www.777tool.com/showsoft.exe

14
Oct

eBay phishing websites

By djpnuemo Comments
Categories: Malicious Domains, Malicious Links and Phishing

Here are some domains hosting eBay phishing sites. These are intended to harvest user credentials for the popular auction site. This along with the M&I Bank post are intended to show how well these pages are created and can trick even an educated web surfer.

Below is a screenshot of the phishing website along with domains that are currently hosting the phishing site.

hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.gdriyip90t1a.333m9ocosl9h7fo985.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=belfire27@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j4eupml07uipz.333ana77×9jwudokll.net.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=mattlisab28@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.ri0g9apjjlf4algqb8k.333krv7olw2ynfgw1n.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=saco252@aol.com&ref=eba1&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.f033ab37c30201f73f142449d037028d.mldfki29y30×11lpx3.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=dropshippeddirect@verizon.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.44f683a84163b3523afe57c2e008bc8c.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.ea5d2f1c4608232e07d3aa3d998e5135.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.fe9fc289c3ff0af142b6d3bead98a923.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=margimac@earthlink.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.d82c8d1619ad8176d665453cfb2e55f0.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SecurityMeasure&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&email=lance@lbcad.com
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.0m3kw84y2qx3mdf.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=lisettechiasson@hotmail.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j03tlcwradrnyl6ecj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=tlizzie1@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.rbjvo7q3uk3dpnj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=moskaterx@yahoo.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.5ya63pn8gzhev4ko413.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=robdebaa@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.4oz0i3iiahwup.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=fx94@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.cflc4xfunpul.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=jackster@consolidated.net&ref=eb&sspagename=ADME:X:CEM:U

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit