Skip navigation.
WARNING: This site contains samples of live malware. Use at your own risk.


I found a VB malware inside WinRar sfx. This malware retrieve a dropper from a website
that drop on hard disk a trojan (TR/Buzus.ztk for AVIRA).

The WinRar sfx extract on user TEMP folder two files, start.exe and the original Sfx archive,
executing start.exe (the malware) and the sfx.

The malware get dropper from an URL (hxxp:// using wininet.InternetOpenUrlA.

The dropper create on folder an exe file (Setup_ver1.1585.2.exe) with trojan.




BITS used as covert channel

Eric Landuyt from DataRescue analyzed a malware that exploits Background Intelligent Transfer Service (BITS) as a covert channel

From the site:
"A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware's behaviour, we proceeded with a complete analysis."

wikipedia : BITS

Another Antivirus 2009 installer (0/36 on VirusTotal)

We came across a fully undetected Antivirus 2009 installer today.


* hxxp:// 5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&
o hxxp://
+ hxxp://


More info here...

New Rogue - eAntivirusPro

Today we discovered a new rogue called eAntivirusPro. After researching the new rogue we found that the template for the site was sold on a Russian Freelance site, which is one of the first templates we have seen contracted from a public freelance site.

more info here...


YouTube Video Page Creator

Last week PandaLabs discovered a new tool for creating fake YouTube video pages as a way of deceiving users into installing malware. The vector for infection is similar to many fake codec based malware attacks seen in recent weeks (CNN, MSNBC, etc).

The flexibility of this tool allows anyone to direct the fake Adobe Flash update error to any malicious executable file hosted on any server - this means that essentially a hacker could register several domains in different countries (as seen in the CNN alerts attack) and utilize a bot-net to distribute a mass amount of spam pointing to these fake YouTube pages.

Full Details Here

Total Secure 2009

We discovered a new Total Secure 2009 domain today. The binary the site distributes is only detected by 3 out of 36 AV engines according to VirusTotal.


more information here...

New Rogue - Smart Antivirus 2009

A few days ago, the team at Sunbelt discovered a new rogue called Smart Antivirus 2009. Today we discovered new Smart Antivirus 2009 domains. We inspected the file (setup.ver1_1000.0_.exe) and found that only 2 out 36 companies detected it via VirusTotal.


More info on the site...

Quicktime exploit in action (Video)

This exploits vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system. The file installed is msupd_0809_upd070148.exe.

Blog Post (additional information)

Antivirus 2009...brought to you by motigo?

A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and Lo and behold, we found Antivirus 2009 being distributed from their ad system. For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product.

See the full post here....


Antivirus 2009 (video)

Sites: hxxp:// -> hxxp:// -> hxxp://
Files: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
VirusTotal Result: 4/36 (11.11%)
MDB: /lithium-malware/

See the full post...