Archive for the 'Malicious Domains' Category

27
Nov

Fake antivirus site features drive-by install of PDF exploits

By mwdisector Comments
Categories: Malicious Domains and Rogue Security Software

Here’s a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file.

Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo

Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS

Launches a process called AcroRd32.exe (Acrobat Reader) and slows your machine down to a crawl.

Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253

Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441

See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg

abb192.cn was registered on 10/29 and hosted on a Leaseweb box in Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net

-mwdisector

15
Nov

Database Update - 19 Files (Low Detection)

By djpnuemo Comments
Categories: Antivirus 2009, Codec, Database Update, Low Detection, Malicious Domains and Malware

Quite a few files added to the database today. As you can see below, these aren’t detected by many AV’s out there.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

A9installer_77024202.exe
Result: 0/36 (0%)
MD5: fd6c1b0cec99796c72213ee330eb7b58
VirusTotal
ThreatExpert Analysis
hxxp://allinone-scanner.com/2009

av_2009.exe
Result: 1/36 (2.78%)
MD5: 4c68e58e317f7111ac147d5279ef23e0
VirusTotal
ThreatExpert Analysis

zcodec.1482.exe
Result: 3/36 (8.34%)
MD5: 9acea07175a11ae690263f9be7828467
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.pc-storesoft.com

doc.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://chanchoi.cn

default.exe
Result: 13/36 (36.12%)
MD5: 58e3a60289854bb435570a14ac3c616e
VirusTotal
ThreatExpert Analysis
hxxp://chanchoi.cn

kryostm.dll
Result: 21/36 (58.34%)
MD5: b8d72237913a95b597583f8f91181ed8
VirusTotal
ThreatExpert Analysis

kryo2.sys & pavtpk.sys
Result: 20/36 (55.56%)
MD5: abbce53fa9411adbd8a870ae9c27a92e
VirusTotal
ThreatExpert Analysis

test.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://onlinestat.cn

file1.exe & U.exe
Result: 4/36 (11.12%)
MD5: 0fe5b393bef43d95f5e86c820097491e
VirusTotal
ThreatExpert Analysis
hxxp://onlinestat.cn

ntos.exe
Result: 4/36 (11.12%)
MD5: fbe5869d3f03108296e10a81e9b7d160
VirusTotal
ThreatExpert Analysis

After multiple runs through a sandbox, these different binaries were downloaded

ntos.exe
Result: 4/36 (11.12%)
MD5: df4f605f59823324cceaf359d46a5d27
VirusTotal
ThreatExpert Analysis

ntos.exe
Result: 5/36 (13.89%)
MD5: fa736d7136176eebfcefd109b33f2e90
VirusTotal
ThreatExpert Analysis

soft.exe
Result: 9/36 (25%)
MD5: dcdd783dd8f84ef8b9a0c8233d152540
VirusTotal
ThreatExpert Analysis

csrss7.dll
Result: 3/36 (8.34%)
MD5: e87c0ab9c96b000f86199118d38539c1
VirusTotal
ThreatExpert Analysis

This also modified the hosts file to block international search engines (AOL, Google, & MSN)

doc.pdf
Result: 12/36 (33.34%)
MD5: 9b3822a11c9e94763150282f0c9b1d01
VirusTotal

default.exe & ~.exe
Result: 8/36 (22.23%)
MD5: 4dcc389638a9cf14972752df79ed0dd6
VirusTotal
ThreatExpert Analysis

nvaux32.exe
Result: 8/36 (22.23%)
MD5: 94d724d0740a3f6a26b624051950b053
VirusTotal
ThreatExpert Analysis

user32.dll
Result: 8/35 (22.86%)
MD5: 5f24060f06fd415314485a66a0be8726
VirusTotal
ThreatExpert Analysis

flash_update.exe (Koobface Facebook Worm)
Result: 7/36 (19.45%)
MD5: f47a95dc8003bb0f206d836b757fa9f3
VirusTotal
ThreatExpert Analysis
hxxp://youtube-cam.com

13
Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active.  Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

12
Nov

EstDomains shut down effective November 24th, 2008

By djpnuemo Comments
Categories: Malicious Domains, Malware and Malware Distribution

I thought it was worth noting that today ICANN finally decided to terminate EstDomains ability to register domains. EstDomains has turned the other cheek to their clients use of their services. The shutting down of some, if not all of their registered domains, will definitely help in slowing down the spread of some new malware. Although the gangs I’m sure have already planned for this and have started to move some of their operations.

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains’ then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains’ RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal.

On 7 November 2008, EstDomains was informed that, based on ICANN’s findings, ICANN was proceeding with the termination of EstDomains’ RAA, effective 24 November 2008.

ICANN’s records indicate that EstDomains manages approximately 281,000 domain names. To protect the interests of registrants, on 28 October 2008, ICANN published a Request for Informations seeking expressions of interest from registrars to receive a bulk transfer of the domain names managed by de-accredited registrar EstDomains.

ICANN is analyzing the responses to that request and will take measures to effectuate a smooth transition of the domain names managed by EstDomains to a qualified ICANN- accredited registrar.

Courtesy of ICANN

12
Nov

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Low Detection, Malicious Domains, Malware and Rootkit

Only a smaller update today. Files available in /pnuemo-malware/. The installers I’ve been collecting are getting nastier and nastier. Keep everything updated!

xloader.exe
Result: 6/36 (16.67%)
MD5: efe48c6ea123b7d5a07f1beaf4b9efb1
VirusTotal
ThreatExpert Analysis
hxxp://adwords.google.com.upload.main.update.kliauj.cn

winlogon.exe
Result: 5/36 (13.89%)
MD5: 6c161cf9aefd577235547a0514ea7336
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 23/36 (63.89%)
MD5: 89bbe87df33a7722ce6bc890023a82c0
VirusTotal
ThreatExpert Analysis

uesiuqcr.exe & svchost.exe
Result: 14/36 (38.89%)
MD5: f74dc617cec41d36aca9ffc793add258
VirusTotal
ThreatExpert Analysis

getfn32.dll
Result: 6/36 (16.67%)
MD5: 98c8c4cc9ae42cbd630fc8c1aec50a50
VirusTotal
ThreatExpert Analysis

smwin32.dll
Result: 6/36 (16.67%)
MD5: 47c4fa178eefe5379856c7d35e953acd
VirusTotal
ThreatExpert Analysis

beep.sys
Result: 32/36 (88.89%)
MD5: e2bba2140204d6e4134828445a9c486c
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 19/36 (52.78%)
MD5: 57841b5c7ed709f6b5ff0027c014083b
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 24/36 (66.67%)
MD5: 26fafa838db23646661bfde34b537059
VirusTotal
ThreatExpert Analysis

l.exe
Result: 12/36 (33.34%)
MD5: 3f052a786ef71d4d9368732f9d25bfdf
VirusTotal
ThreatExpert Analysis
hxxp://worldfirefighter.com/wellstonfd

LDR24.tmp
Result: 18/36 (50%)
MD5: bd336a1191044325d0165b70fecc5520
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 17/36 (47.23%)
MD5: ff22b4365b9d2f8b8940c1558c82effd
VirusTotal
ThreatExpert Analysis

KB908995.exe (TDSServ Rootkit)
Result: 6/36 (16.67%)
MD5: 942aa524ab0de25a6750c5e9772fa387
VirusTotal
ThreatExpert Analysis
hxxp://google-analyze.cn

03
Nov

Antivirus Pro 2009 - Exploiting Human Weakness for Money

By lithium Comments
Categories: Antivirus Pro 2009, Database Update, Malicious Domains, Malware Removal, Rogue Security Software and Rogue Software

Note: Thie sites we talk about in this post distribute Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Almost everyday our viewers ask us about Rogue anti-malware software.  Out of all of the questions we receive, the most common is “When will these attacks stop?”  The sad truth is that we cannot see an end to this problem in near sight.  As long as the malicious individuals are able to trick or force users into downloading, installing, and eventually paying for their fake “Rogue” anti-malware products, they will continue to develop and push the envelope.

AntivirusPro 2009

Antivirus Pro 2009

The user will be prompted with the following message in the event that the browser blocks the download.  When the user clicks on “Click here to get full advanced real-time protection and continue browsing”, it will automatically forward them to the payment gateway page.

“Insecure Internet Activity. Threat of Virus Attack!  Due to the insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes”

Antivirus Pro 2009 Browser Warning

Installer:

There are three possible options to the Antivirus Pro 2009 Installer. Continue, Terms of Service and Cancel.

Antivirus Pro 2009

Canceling the Installation:

When attempting to exit the installer via the cancel button, the setting defaults to “Continue with installing and running free scanner.”

Antivirus Pro 2009 Cancel Install

Terms of Service:

Antivirus Pro 2009 Terms of Service

Interface:

The interface may look convincing to unsuspecting victims.

Antivirus Pro 2009 Interface

Scare Messages:

Victims are presented with various scare messages to entice a purchase.

“WARNING! Antivirus Pro 2009 has found 27 useless and UNWANTED files on your computer!”

Personal data at the reach of anyone’s hand

Internet history records available

Compromising and adult material stored on your system

Chat sessions’ logs and personal Emails easily reachable

Antivirus Pro 2009 Scare Tactics

Payment Gateway:

hxxps://secure.soft-payments.com via AS20495 (WEDARE We Dare BV Autonomous System)

secure.soft-payments.com

Antivirus Pro 2009 Payment Gatweay

SharedNS:

Antivirus Pro 2009 Shared NS

VirusTotal:

7/36 (19.44%) –>hxxp://www.av-pro-2009.com

7/36 (19.44%) –> hxxp://xp-as-2009.com

11/36 (30.56%) –>hxxp://xpas-2009.com

16/36 (44.44%)–> hxxp://av-pro2009.com

16/36 (44.44%)–>hxxp://avpro-2009.com

16/36 (44.44%)–>hxxp://avpro2009.com/

Removal Information:Need help removing this malware?
Click here for more information on the removal process.

Don’t forget to ask for help in our user forums!

25
Oct

Ocean Bank phishing/malware distribution through fake SSL certificate

By djpnuemo Comment
Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis

s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis

new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis

ns1.domensinter.com
ns2.domensinter.com

hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin

24
Oct

Database Update - 28 Files (Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links, Malware, Rogue, Rogue Security Software, Rogue Software and XP AntiSpyware 2009

Here is an update of files from this past week. These files are available in /pnuemo-malware/ in our repository. PLEASE READ UPDATED README.TXT!

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

certificado-3.15.exe
Result: 12/36 (33.34%)
MD5: b249760cd0c1a3b21df8993604efe36b
VirusTotal
ThreatExpert
hxxp://212.98.9.4/Bradesco.com.br/

Flash_Player_9.exe (Downloads or Creates: winexec32.exe & wsys33.exe)
Result: 18/36 (50%)
MD5: f6d3cc53df4a70ee53a9a0a5288834da
VirusTotal
ThreatExpert
hxxp://www.momocortes.com/blog/media/2/

wsys33.exe
Result: 10/36 (27.78%)
MD5: fa0f6781e99d1d78c0d24417cb7b88fd
VirusTotal
Sunbelt Sandbox

exe.exe (Downloads or Creates: vhosts.exe)
Result: 24/36 (66.67%)
MD5: c28f755cdf4863de48659d84c68efab7
VirusTotal
ThreatExpert
hxxp://verynicejob.info/sxe/load.php

02.exe
Result: 8/36 (22.23%)
MD5: 166da263d55d3a06b0bac738ceea769a
VirusTotal
ThreatExpert
hxxp://regect.mobi/

item.gif (Downloads or creates: msxml71.dll)
Result: 7/35 (20%)
MD5: 0a5b198090739429b0e939078517c4d8
VirusTotal
ThreatExpert
hxxp://nessotr-help.com/images/

msxml71.dll
Result: 8/36 (22.23%)
MD5: 46b14c6da49eba5ab1a07bd63b001057
VirusTotal
ThreatExpert

skash.exe (Downloads or creates: figaro.sys, beep.sys, & brastk.exe)
Result: 17/36 (47.23%)
MD5: df565df07afc10489c4b419b1f252158
VirusTotal
ThreatExpert
hxxp://destinationsurfersparadise.com.au/lsi/

beep.sys & figaro.sys
Result: 31/36 (86.12%)
MD5: 14054908c961bb3af74f08fc9dbddeac
VirusTotal

brastk.exe
Result: 17/36 (47.23%)
MD5: 18bc3ea8f0ec094e5a8bacf19e4413b0
VirusTotal
ThreatExpert

serce.php
Result: 7/36 (19.45%)
MD5: 0f3d0ea3905df454581e0c59595f72a6
VirusTotal
ThreatExpert

ex002.exe
Result: 11/36 (30.56%)
MD5: 6f6b2be08feb03f26c84100a24b4891e
VirusTotal
ThreatExpert
hxxp://traff.loadmore.eu/t/l/

setup_1_1_.exe (Installs Pro Antispyware 2009)
Result: 1/36 (2.78%)
MD5: d62c9998be552d4a7189f4c656501e81
VirusTotal
ThreatExpert
hxxp://files.proas2009dl.com/load/

pdf.pdf
Result: 7/36 (19.45%)
MD5: 746f87f5fcf309bc0c5bc422007f3740
VirusTotal
hxxp://svinushka.net/forum/spl/

video20798.cfg
Result: 11/36 (30.56%)
MD5: 1b06e026fdb1fe6e42e66472bae3cc74
VirusTotal
hxxp://lyox-lib.com/addon/

9llCJ4amiU.exe
Result: 10/36 (27.78%)
MD5: 0662482dea0f312e1ed7bfdab7cf86b1
VirusTotal
ThreatExpert
hxxp://78.157.143.225/EX/

video.cfg
Result: 8/36 (22.23%)
MD5: 75dfc5f4c4cbc9367a830d216dec62a4
VirusTotal
hxxp://69.46.24.95/addon/

DivXCodecPKG.7.exe
Result: 2/36 (5.56%)
MD5: f6b635b62fe9a91e9bc0eb01ee827f67
VirusTotal
ThreatExpert
hxxp://softawe-download-forpc.com/

7-v3av.exe (Downloads or Creates: beep.sys, figaro.sys, & brastk.exe)
Result: 12/36 (33.34%)
MD5: aed0e8cb43f48862d89daf441fd844da
VirusTotal
ThreatExpert
hxxp://91.203.92.121/7-v3av.exe

beep.sys & figaro.sys
Result: 30/36 (83.34%)
MD5: b01ed4cec7f0aa6232d49202a71e3a5c
VirusTotal

brastk.exe
Result: 11/36 (30.56%)
MD5: faa1dfd63f02675c4e717c01a476e1f8
VirusTotal
ThreatExpert

setup.exe (Downloads or Creates: getsn32.dll, smwin32.dll, & uesiuqcr.exe)
Result: 11/36 (30.56%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
hxxp://kb960830-sp2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/

getsn32.dll
Result: 5/36 (13.89%)
MD5: a33aa3d2d4f3a78aa51b3bafb9ce34e1
VirusTotal
ThreatExpert

smwin32.dll
Result: 2/36 (5.56%)
MD5: 39f89f98990a946bc31cb0271b2d3e19
VirusTotal
ThreatExpert

uesiuqcr.exe
Result: 12/36 (33.34%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert

b156.exe
Result: 18/36 (50%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert
hxxp://dl2.bundlext.com:8080/get.php

Removal:
Remove this threat with MalwareBytes!

23
Oct

Antivirus 2009 - 2 files added - 5 domains added (Low Detection) 1/36

By lithium Comments
Categories: Antivirus 2009, Database Update, Infection, Low Detection, Malicious Domains, Malware Removal and MalwareBytes

Today I came across a new Antivirus 2009 binary with a 1 out of 36 detection ratio on VirusTotal.  The session starts at antivirus-best.com and that page is reduced to a pop-up message, as usual.  Then we are briefly taken to voodoorevenue.com where the affilliate information for the malware creators is sent and then redirected to the point of download, protection-overview.com.

Screenshot:

Antivirus 2009

Removal Information:

We successfully tested MalwareBytes to remove this threat. 
Click here for more information on the removal process.

Malware Bytes

Session Summary

#    Result    Protocol    Host    URL    Body
538    200    HTTP    antivirus-best.com    /
539    200    HTTP    antivirus-best.com    /window.js
540    200    HTTP    CONNECT    urs.microsoft.com:443
541    200    HTTP    antivirus-best.com    /_freescan.php?id=
542    200    HTTP    antivirus-best.com    /fileslist.js
543    200    HTTP    antivirus-best.com    /progressbar2.js
544    200    HTTP    antivirus-best.com    /common.js
545    200    HTTP    antivirus-best.com    /hat1.jpg
546    200    HTTP    antivirus-best.com    /pixel_trans.gif
547    200    HTTP    antivirus-best.com    /bgleft.gif
548    200    HTTP    antivirus-best.com    /disks.gif
549    200    HTTP    antivirus-best.com    /bgtop1.gif
550    200    HTTP    antivirus-best.com    /warning.jpg
551    200    HTTP    antivirus-best.com    /pbbg2.gif
552    200    HTTP    antivirus-best.com    /table1.gif
553    200    HTTP    antivirus-best.com    /footer.gif
554    200    HTTP    antivirus-best.com    /bgright.gif
555    200    HTTP    antivirus-best.com    /popup4.gif
556    200    HTTP    antivirus-best.com    /pbbg.gif
557    200    HTTP    antivirus-best.com    /closebutton.gif
558    404    HTTP    antivirus-best.com    /favicon.ico
559    200    HTTP    antivirus-best.com    /warning2.jpg
560    200    HTTP    antivirus-best.com    /table2.gif
561    302    HTTP    voodoorevenue.com    /soft.php?aid=0777&d=100&product=XPA&refer=c79bfd2d5
562    302    HTTP    protection-overview.com    /2009/100/freescan.php?id=880777
563    200    HTTP    protection-overview.com    /2009/download/trial/A9installer_880777.exe

After Install

780    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
781    206    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
782    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by:a9installer_880777:1580
783    200    HTTP    secureupdateservice.com/firstrun.php?product=AV9&aff=880777&update=2409av9nv&time=00:00:00 > by:  av2009:732

Files:

DownloadPath\$$$$$$$$$.bat (deletes the installer)
%ProgramFiles%\Antivirus 2009\av2009.exe
%SystemRoot%\System32\scui.cpl

Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: 66878074513444726827872864318771
Value: C:\Program Files\Antivirus 2009\av2009.exe

File: A9installer_880777.exe
VirusTotal: 1/36 (2.78%)

Additional information
File size: 139776 bytes
MD5…: b0674e8e6c99de286a62b2fde5358110
SHA1..: ee50b8901e011e56ff9b0ddaa045e8e54500426f
SHA256: cef3a6aae1291b1e2335cd034953ff1936bb38c1e2406256700266ee7269adc9
SHA512: 06fd1e8ad4b39f04f0862a7b8eadd4a00eaa7c99cd7e3c3e547326728cae8b35
023030034e4c3809d61976c63ce6ab337e480d59076b6a942cff8303b8550c41

File: av2009.exe
VirusTotal: 3/36 (8.33%)

Additional information
File size: 1265152 bytes
MD5…: dd624cacbcf3b1a0e39f2724fc7eca54
SHA1..: 99e1a1219ef624dafb3faa3e02d7addf8fc4203f
SHA256: a1c7724a05a37d7a842be34acf0c42fc37f019c6f5b49cd2e00d48baa14d7a91
SHA512: 9623e0d41c42a69621e601eb893ab4bf2d0e0f8660a52698c4e6d3035f609baf
8546279aa40eca1c2f9cde767c0e17dacbc9f26ef6dfb54bbb7c496441b6f50a

Removal:

Remove this threat with MalwareBytes!

15
Oct

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links and Malware

Here is todays update of malware. Some interesting finds today! As always, the files are available under /pnuemo-malware/ in our repository.

BE ADVISED: The URLs may still be live. Proceed at your own risk.

Serv46.exe & asedf2g2.exe (Downloads/Creates the files: tcpip.sys, MSWINSCK.OCX, asedf2g2.exe, & jhil8.exe)
Result: 11/36 (30.56%)
MD5: ebbbda43a97c73d50adc34803155cc41
VirusTotal
ThreatExpert Analysis
hxxp://58.221.254.219:86/Serv46.exe

MSWINSCK.OCX
Result: 0/36 (0%)
MD5: e8a2190a9e8ee5e5d2e0b599bbf9dda6
VirusTotal

jhil8.exe
Result: 2/36 (5.56%)
MD5: 04d98f36c2a1b79a40c97619c1c3ed31
VirusTotal
ThreatExpert Analysis

tcpip.sys
Result: 1/36 (2.78%)
MD5: 1745b00fc1141404b28f4b94f69a8871
VirusTotal
ThreatExpert Analysis

Psetup.exe (Downloads/Creates the files: newie.exe & msgsvc.dll)
Result: 6/36 (16.67%)
MD5: 812474725260a3646b5f0ecad9602ee5
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824/Psetup.exe

newie.exe
Result: 3/36 (8.34%)
MD5: af619d7871d7dbb4dbd3295c4336d76b
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824

msgsvc.dll
Result: 4/36 (11.12%)
MD5: 103d90d32fcf59b82a2315820bbe7470
VirusTotal
Sunbelt Sandbox

DSC1435.exe (Downloads/Creates the files: DJ12335.exe & D4722.exe)
Result: 11/36 (30.56%)
MD5: d837e1f5ff46c8e51c442690705782fd
VirusTotal
ThreatExpert Analysis

DJ12335.exe
Result: 16/36 (44.45%)
MD5: a5785c6cc41bcd48b94d8bf2477c9004
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

D4722.exe (Downloads/Creates the files: Windows32.exe)
Result: 14/36 (38.89%)
MD5: a267139ce72faff6e05394792b031e49
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

Windows32.exe
Result: 13/35 (37.14%)
MD5: c1a850a6c0946a3a970715968279236b
VirusTotal

showsoft.exe
Result: 4/36 (11.12%)
MD5: a2c091f45b4319ba2aeba3527c50db73
VirusTotal
ThreatExpert Analysis
hxxp://www.777tool.com/showsoft.exe

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit