Skip navigation.
WARNING: This site contains samples of live malware. Use at your own risk.

LOTD: Malicious Link of the Day

Installer: setup_110152_3_.exe
Downloads From: hxxp://
File size: 91136 bytes
MD5…: 90dacc45af0548fd1cd7da88bf969fdd
SHA1..: 40a7827da0221a03c006dfbf174c8ebb66e43df5
Result: 3/36 (8.34%)

More info on the files here...

Video Codec Malware Reloads

This morning we detected another spam campaign with a very similar motivation to the MSNBC and CNN spam attacks that were detected recently. The vector for infection is a re-direction to a phony video page. In this case the user is asked to download an update which appears to be a video codec identified as installer.exe or better known as Trj/Exchanger. We expect that these type of attacks are only going to evolve over a period of time to be much more sophisticated.

More Information Here:

The International Virus Research Lab Strikes Again!


Another release in short time ;).
This time I want present you my 'multimedia trojan' disinfector.
Little automatic tool which will give you possibility to cure infected files.
Analysis of infected files is based on signatures located in :
%temp%\dis_signatures.ini ,default file contain one good known url address added by GetCodec :

More info(spanish) you can find here:

Detalles sobre el troyano multimedia GetCodec


MD5...: 914adbbfaae6f87a6f758bf4ba1efd6d
SHA1..: 0861ed42ffc175c668f53050e22baa38d2c5ba04


Firefox Search Plugin for Offensive Computing

I created a firefox search plugin to make searching MD5 sums on OC a little easier. You still must be logged in to perform a search, but hey, can't eat the cake too!

To download it: Go to my site and click on the link "Download the Offensive Computing Firefox Plugin here. (requires javascript)" It's at the top.. can't miss it :)


Malware Database

Multimedia trojan analysis

I just released my analysis about good knowed lately 'multimedia trojan' ,called also:
Symantec - Trojan.Brisv.A
Sophos - W32/GetCodec-A

You can download this paper in two language versions:
I hope you will enjoy it.

CNN & MSNBC Attack - Where is it all coming from?

No file updates in this post but I'm hoping to generate some discussion here...

My e-mail inbox has been flooded since breaking the CNN malspam story. Everyone wants to know where this attack is coming from and how it’s releasing itself into the wild so quickly. I’m sorry to say that I do not have the answer yet… but I do have a hypothesis.

I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…

MSNBC Alerts masking CNN codec site

This morning several messages appeared to be coming from MSNBC breaking news alerts. However, it is another weird twist in the CNN spam campaign as the link will direct the user to the fake CNN video codec page to download the adobe_flash.exe (AV XP 2008). We expect to see in the next coming days variations of these messages as spammers find ways to entice users.

More details here

New Antivirus 2009/Vista Antivirus 08

We’ve spotted some new Antivirus 2009 malicious domains in the wild today.

Investigated: hxxp://
Antivirus 2009

Installer: Install.exe - 31452372db17d2ca19b483161141fbba (Written in Delphi)

AV2009Install_880593.exe %System%\AV2009Install_880593.exe 122,880 bytes

|–>Trace Level=”"

More information here...


Paper on Win32OnlineGames


In the following paper you can read the analysis of Win32OnlineGames, a well spreaded Trojan that acts as Password Stealer for E-Gaming Services.


Hope you like it!

Giuseppe 'Evilcry' Bonfa'