I found a VB malware inside WinRar sfx. This malware retrieve a dropper from a website
that drop on hard disk a trojan (TR/Buzus.ztk for AVIRA).
The WinRar sfx extract on user TEMP folder two files, start.exe and the original Sfx archive,
executing start.exe (the malware) and the sfx.
The malware get dropper from an URL (hxxp://126.96.36.199/setup.exe) using wininet.InternetOpenUrlA.
The dropper create on folder an exe file (Setup_ver1.1585.2.exe) with trojan.
Eric Landuyt from DataRescue analyzed a malware that exploits Background Intelligent Transfer Service (BITS) as a covert channel
From the site:
"A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware's behaviour, we proceeded with a complete analysis."
We came across a fully undetected Antivirus 2009 installer today.
* hxxp://188.8.131.52/go/?cmp=nm_ron2&uid=f8a0d9628fbb11dd95e4166350cfffff&rid=gl2vmclr&guid= 5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&url=http:%2F%2Fwww.google.com%2F&v=1145&m=an2g
Today we discovered a new rogue called eAntivirusPro. After researching the new rogue we found that the template for the site was sold on a Russian Freelance site, which is one of the first templates we have seen contracted from a public freelance site.
Last week PandaLabs discovered a new tool for creating fake YouTube video pages as a way of deceiving users into installing malware. The vector for infection is similar to many fake codec based malware attacks seen in recent weeks (CNN, MSNBC, etc).
The flexibility of this tool allows anyone to direct the fake Adobe Flash update error to any malicious executable file hosted on any server - this means that essentially a hacker could register several domains in different countries (as seen in the CNN alerts attack) and utilize a bot-net to distribute a mass amount of spam pointing to these fake YouTube pages.
A few days ago, the team at Sunbelt discovered a new rogue called Smart Antivirus 2009. Today we discovered new Smart Antivirus 2009 domains. We inspected the file (setup.ver1_1000.0_.exe) and found that only 2 out 36 companies detected it via VirusTotal.
This exploits vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system. The file installed is msupd_0809_upd070148.exe.
A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and Lo and behold, we found Antivirus 2009 being distributed from their ad system. For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product.