Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

\stub\stub1.4_newmod\WinSrv.vbp

I found a VB malware inside WinRar sfx. This malware retrieve a dropper from a website
that drop on hard disk a trojan (TR/Buzus.ztk for AVIRA).

The WinRar sfx extract on user TEMP folder two files, start.exe and the original Sfx archive,
executing start.exe (the malware) and the sfx.

The malware get dropper from an URL (hxxp://67.159.57.83/setup.exe) using wininet.InternetOpenUrlA.

The dropper create on folder an exe file (Setup_ver1.1585.2.exe) with trojan.

start.exe
089e63cfe70aebc52fe5b087cc5dd2a4

setup.exe
799b4296dd74a2adaaf30b903759db82

Setup_ver1.1585.2
f42e34cedc6e5ff0957ec60d58b5f8da

BITS used as covert channel

Eric Landuyt from DataRescue analyzed a malware that exploits Background Intelligent Transfer Service (BITS) as a covert channel

From the site:
"A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware's behaviour, we proceeded with a complete analysis."

wikipedia : BITS

Another Antivirus 2009 installer (0/36 on VirusTotal)

We came across a fully undetected Antivirus 2009 installer today.

Site:

* hxxp://85.17.166.170/go/?cmp=nm_ron2&uid=f8a0d9628fbb11dd95e4166350cfffff&rid=gl2vmclr&guid= 5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&url=http:%2F%2Fwww.google.com%2F&v=1145&m=an2g
o hxxp://freeonlinescanner9.com/_download.php?aid=77052204&dlth=19
+ hxxp://vassariumbig.com/download/av_2009.exe

c074384af50971632df88de847c89233

More info here...

New Rogue - eAntivirusPro

Today we discovered a new rogue called eAntivirusPro. After researching the new rogue we found that the template for the site was sold on a Russian Freelance site, which is one of the first templates we have seen contracted from a public freelance site.

more info here...

8c396fbdacce214de2e86354a77350d2

YouTube Video Page Creator

Last week PandaLabs discovered a new tool for creating fake YouTube video pages as a way of deceiving users into installing malware. The vector for infection is similar to many fake codec based malware attacks seen in recent weeks (CNN, MSNBC, etc).

The flexibility of this tool allows anyone to direct the fake Adobe Flash update error to any malicious executable file hosted on any server - this means that essentially a hacker could register several domains in different countries (as seen in the CNN alerts attack) and utilize a bot-net to distribute a mass amount of spam pointing to these fake YouTube pages.


Full Details Here

Total Secure 2009

We discovered a new Total Secure 2009 domain today. The binary the site distributes is only detected by 3 out of 36 AV engines according to VirusTotal.

206d7b4425c01d9b5e839e7604da5531

more information here...

New Rogue - Smart Antivirus 2009

A few days ago, the team at Sunbelt discovered a new rogue called Smart Antivirus 2009. Today we discovered new Smart Antivirus 2009 domains. We inspected the file (setup.ver1_1000.0_.exe) and found that only 2 out 36 companies detected it via VirusTotal.

8482252a4293d5f4ba1f39b77b447920

More info on the site...

Quicktime exploit in action (Video)

This exploits vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system. The file installed is msupd_0809_upd070148.exe.

44641bb1fc3e0443e8c2222a69af6cc9
Blog Post (additional information)

Antivirus 2009...brought to you by motigo?

A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and Lo and behold, we found Antivirus 2009 being distributed from their ad system. For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product.

See the full post here....

0570484b66e9a139d8fd0a71f5448957

Antivirus 2009 (video)

Sites: hxxp://antivirusworld9.com -> hxxp://scanthnet.com -> hxxp://innovagest2000sl.com
Files: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
VirusTotal Result: 4/36 (11.11%)
MDB: /lithium-malware/AV2009Install.zip

See the full post...

0570484b66e9a139d8fd0a71f5448957