http://malwaredatabase.net/blog Malware Database is a group of security professionals and a few hobbyists who each contribute to a private distributed database of malicious binaries while raising awareness on current malware trends through our website. Fri, 28 Nov 2008 06:22:48 +0000 http://backend.userland.com/rss092 en Here's a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file. Bad Site: hxxp://2008-noadware-antivirus.com (68.180.151.74) AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo Goes to: hxxp://abb192.cn/exp/index.php hxxp://abb192.cn/exp/load.php?id=2926 abb192.cn (82.192.88.2) AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS Launches a process called ... http://malwaredatabase.net/blog/index.php/2008/11/27/fake-antivirus-site-features-drive-by-install-of-pdf-exploits/ STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign. DOMAINS: campingchip.com daily--movie-code.info daily--movie-code.net daily--movie-code.org daily-movie--code.info daily-movie--code.net daily-movie-code.info get--activation-code1.com movie--code--online.info movie--online-promo.info movie-code-online.com movie-code-online.info movie-code-online.net movie-code-online.org movie-online-promo.info movie-online-promo.org net--activation--code1.com net--activation--code1.net net--activation-code1.info net--activation-code1.net net--activation-code1.org net--code--activation.com net--code--activation.info net--code--activation.net net--code-activation.com net--code-activation.info net--code-activation.net net--code-activation.org net--movie--promo.net net--online--product.info net--online--product.org net--online-product.info net--online-product.org net--pdf--promo.info net--pdf--promo.net net--pdf-promo.com net--pdf-promo.info net--pdf-promo.net net--pdf-promo.org net-activation--code1.info net-activation--code1.net net-activation-code.com net-activation-code1.info net-activation-code1.net net-activation-code1.org net-online--product.info net-online--promos.info net-online-product.info net-online-product.org net-pdf--promo.info net-pdf--promo.net net-pdf-promo.com net-pdf-promo.info net-pdf-promo.net net-pdf-promo.org new--movie--code.net new--product--offer.com new--product--offers.com new-movie--code.info new-movie--code.net new-movie--code.org online--activation--code.net online--activation-code.org online--movie--promo.info online--movie-promo.info online--product-promos.info online--promo--products.info online--promo--products.org online--promo-products.info online--promo-products.org online-activation--code.org online-activation-code.com online-activation-code.org online-movie--promo.info online-movie-promo.info online-product--promo.net online-product-promo.com online-promo--products.info online-promo-products.info online-tv--promo.info pdf--online--promo.org pdf--online-promo.info pdf--online-promo.org pdf--promo-info1.net pdf-online--promo.info pdf-online--promo.org pdf-online-promo.info pdf-promo--code.org pdf-promo--info1.net pdf-promo-info.net pdf-promo-info1.net superiway.com tv-new-promo.info IPs INVOLVED: 27645 | 66.79.162.82 | ASN-NA-MSG-01 - Managed Solutions Group, Inc. 33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 - ... http://malwaredatabase.net/blog/index.php/2008/11/27/more-mailing-list-unsubscription-phishing-websites/ Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below. Product named 2008 yet website is 2009. I see that microav2008.com is available, maybe they should register that too.  ;-) Fake Product Name: Micro Antivirus 2008 Site: microav2009.com IP: 91.208.0.223 Location: Russia Registration: ICANN Registrar:  IN TERNET.BS CORP. Created:  2008-09-24 File: MicroAVSetup.exe VirusTotal coverage: ... http://malwaredatabase.net/blog/index.php/2008/11/24/new-fake-called-micro-antivirus-2008/ Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below. Very low detection. Site: hxxp://antivirus-premium-scan.com/2009/1/en/_freescan.php?nu=77025304 File: A9installertest_77025304.exe Virustotal: Result 1/36 (2.78%) Additional information File size: 163840 bytes MD5...: ccdfcdcea179cf0ecf12035d5ee8b821 SHA1..: e85dd4eebb5ae4d61f36385281922637712a56bd SHA256: 6ffe5e74108fce512aa3c2de39e13ea9aebdda9606a7966d424254282679c03c SHA512: 4de947fd4bf09f6ac2ef6dc34fafdf471555fe6e37dc0f8722cd4e726b5d6dc5 3c76a98f2786df5af5527f0356715bf5787f2b6b44a15eeffea5ff7aed4b6d37 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic ... http://malwaredatabase.net/blog/index.php/2008/11/20/antivirus-2009-4/ In the past few days I've seen many websites pop up pretending to be mailing list unsubscription sites.  And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info. Example screenshot. STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM ... http://malwaredatabase.net/blog/index.php/2008/11/19/fake-activation-and-mailing-list-unsubscribe-websites/ Quite a few files added to the database today. As you can see below, these aren't detected by many AV's out there. BE ADVISED: These URL's may still be active. Proceed at your own risk! A9installer_77024202.exe Result: 0/36 (0%) MD5: fd6c1b0cec99796c72213ee330eb7b58 VirusTotal ThreatExpert Analysis hxxp://allinone-scanner.com/2009 av_2009.exe Result: 1/36 (2.78%) MD5: 4c68e58e317f7111ac147d5279ef23e0 VirusTotal ThreatExpert Analysis zcodec.1482.exe Result: 3/36 (8.34%) MD5: 9acea07175a11ae690263f9be7828467 ... http://malwaredatabase.net/blog/index.php/2008/11/15/database-update-19-files-low-detection/ Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/. BE ADVISED: These URL's may still be active.  Proceed at your own risk! services.exe Result: 19/36 (52.78%) MD5: c629db60a9a5d7303419b5153d3e9b0b VirusTotal ThreatExpert Analysis nd82m0.dll Result: 5/36 (13.89%) MD5: d6f2135dc562c7d4992cf2cea2166707 VirusTotal ThreatExpert Analysis hxxp://85.17.166.182 kb600179.dll Result: 5/36 (13.89%) MD5: f946f8c3de445d45c7eb34591bee037b VirusTotal ThreatExpert Analysis hxxp://89.188.16.30 setup_457_6777_.exe Result: 1/36 (2.78%) MD5: e9339f9045368947789ec70739de4b21 VirusTotal ThreatExpert Analysis hxxp://files.download-antispyware.com scanner_457_6777_.exe Result: ... http://malwaredatabase.net/blog/index.php/2008/11/13/database-update-16-files-low-moderate-detection/ I thought it was worth noting that today ICANN finally decided to terminate EstDomains ability to register domains. EstDomains has turned the other cheek to their clients use of their services. The shutting down of some, if not all of their registered domains, will definitely help in slowing ... http://malwaredatabase.net/blog/index.php/2008/11/12/estdomains-shut-down-effective-november-24th-2008/ Only a smaller update today. Files available in /pnuemo-malware/. The installers I've been collecting are getting nastier and nastier. Keep everything updated! xloader.exe Result: 6/36 (16.67%) MD5: efe48c6ea123b7d5a07f1beaf4b9efb1 VirusTotal ThreatExpert Analysis hxxp://adwords.google.com.upload.main.update.kliauj.cn winlogon.exe Result: 5/36 (13.89%) MD5: 6c161cf9aefd577235547a0514ea7336 VirusTotal ThreatExpert Analysis brastk.exe Result: 23/36 (63.89%) MD5: 89bbe87df33a7722ce6bc890023a82c0 VirusTotal ThreatExpert Analysis uesiuqcr.exe & svchost.exe Result: 14/36 (38.89%) MD5: f74dc617cec41d36aca9ffc793add258 VirusTotal ThreatExpert ... http://malwaredatabase.net/blog/index.php/2008/11/12/database-update-13-files-low-moderate-detection-2/ Came across this nasty bugger today. It installs a few banker trojans, generic trojans, and a rootkit. Below you can see all of the files that it installs on the computer. These files are available in /pnuemo-malware/. Please read our FAQ for access to our repository. BE ... http://malwaredatabase.net/blog/index.php/2008/11/12/fake-control-panel-app-installing-multiple-malware-binaries/