Downloads From: hxxp://dnld.securitydwl.com/load/setup_110152_3_.exe
File size: 91136 bytes
Result: 3/36 (8.34%)
This morning we detected another spam campaign with a very similar motivation to the MSNBC and CNN spam attacks that were detected recently. The vector for infection is a re-direction to a phony video page. In this case the user is asked to download an update which appears to be a video codec identified as installer.exe or better known as Trj/Exchanger. We expect that these type of attacks are only going to evolve over a period of time to be much more sophisticated.
Another release in short time ;).
This time I want present you my 'multimedia trojan' disinfector.
Little automatic tool which will give you possibility to cure infected files.
Analysis of infected files is based on signatures located in :
%temp%\dis_signatures.ini ,default file contain one good known url address added by GetCodec :
More info(spanish) you can find here:
I created a firefox search plugin to make searching MD5 sums on OC a little easier. You still must be logged in to perform a search, but hey, can't eat the cake too!
No file updates in this post but I'm hoping to generate some discussion here...
My e-mail inbox has been flooded since breaking the CNN malspam story. Everyone wants to know where this attack is coming from and how it’s releasing itself into the wild so quickly. I’m sorry to say that I do not have the answer yet… but I do have a hypothesis.
I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…
This morning several messages appeared to be coming from MSNBC breaking news alerts. However, it is another weird twist in the CNN spam campaign as the link http://breakingnews.msnbc.com will direct the user to the fake CNN video codec page to download the adobe_flash.exe (AV XP 2008). We expect to see in the next coming days variations of these messages as spammers find ways to entice users.
We’ve spotted some new Antivirus 2009 malicious domains in the wild today.
Installer: Install.exe - 31452372db17d2ca19b483161141fbba (Written in Delphi)
AV2009Install_880593.exe %System%\AV2009Install_880593.exe 122,880 bytes
More information here...
In the following paper you can read the analysis of Win32OnlineGames, a well spreaded Trojan that acts as Password Stealer for E-Gaming Services.
Hope you like it!
Giuseppe 'Evilcry' Bonfa'