Skip navigation.
Home

drean's blog

Yet another MSN worm...again

Yesterday I've received a file over MSN:

MSN Contact says:
hmm is this you on the photo ?

Then sends a file, called myalbum2007.zip which contains a file photo album-2007.scr

Another Stration Run...

Those guys are pretty busy, 18 different packers/scramblers used in this sample this morning:

2e908d07dcd1a131ff64961c75890bce
7ad860ecf541824a3daf4fc829266f56
be220034958e7369761949a932b96aca

Another MSN thing?

Yet another MSN worm here:

MD5: c0fc8d049547722059bedc9893f6bfd3

recieved in message:
is that u? :o http://tuspics.tu.funpic.org/index.php?pic2038.jpg

Nice that it looks like a jpg extention to the unexperienced user, would fool many people, now that we've been learning them to only click on gif (NOT pif!), jpg etc etc :p

New stration

Last night i decided to take a quick look at the recent malware in my inbox, and i saw a new Stration spam run, i've uploaded the files here, see below for all the MD5 sums.

It downloads the following files:

http://www4.vadesunjionderunhdae.com/chr/843/lt.exe
http://www5.vadesunjionderunhdae.com/chr/843/s.exe
http://www6.vadesunjionderunhdae.com/chr/843/nt.exe

Warezov.DC (f-secure) uploaded.

Hey,

i've uploaded Warezov.DC (name according to F-secure), this variant just got spammed this night.

MD5SUM: 83e00e3c95e51bb700a5380acdf9b2c3
SHA1SUM: ab471ad131a3590ba835ab622f4b9bc9f44685d3
SHA256SUM: 17d9827ed2aca3824f0f1916fc1d0048a2e70f1f109f518e2e23d90b826b2701

It tries to download a few files and execute it on the system, just like the rest of this downloader family it is trojans it downloads.

New Licat (MSN Worm)

Another MSN worm in on the loose here, message from MSN:

---------------------------------------------------------
XXXXX@msn.com says:
lol check hxxp://peopleonline.pe.funpic.de/ photo942.PIF
---------------------------------------------------------

Rakningen Trojan

A new “rakningen” Trojan is beein spammed, this time it is a downloader, which downloads this file:
"http://www. dolas.biz/ ssl. exe" (again the URL is splittet) and executes it.

This file ssl.exe droppes hook.dll, which is injected into most running processes. It creates/edits a lot of registry values.

Yet another MSN worm...

So, i log on my computer this evening, and i get spammed with MSN messages like this:

"lol check http ://www. uglyphotos. net /photo223. PIF" url splitted for your safety ;)

I've added this to the database:
MD5SUM: aae98749a6d2cb23c3eba83a794f9edf
SHA1SUM: 8a39f2c7f954110227a753816f634d5359e5a349
SHA256SUM: 7dba761a6af4bbc18381d50c158470540f87e6a2aeefca6db18c10d8b3e6c8f2

I download the file and run it through virustotal.com and jotti's virusscanner, only a few Antivirus programs detect this thing, so i decide to take a look at is.

Syndicate content