Anti-Spyware Forums


Reply
Thread Tools Display Modes

New viral sample available for upload (April 21)

 
 
Virus Guy
Guest
Posts: n/a

 
      22-04-2012, 12:12 AM
This came in via e-mail attachment today:

http://www.fileden.com/files/2012/4/...arcel_USPS.rar

Password is "a" (no quotes).

Can't quite make out what it's supposed to be according to VT. Mostly
being id'd as "Barys".
 
Reply With Quote
 
 
 
 
FromTheRafters
Guest
Posts: n/a

 
      22-04-2012, 01:15 AM
Virus Guy wrote:
> This came in via e-mail attachment today:
>
> http://www.fileden.com/files/2012/4/...arcel_USPS.rar
>
> Password is "a" (no quotes).
>
> Can't quite make out what it's supposed to be according to VT. Mostly
> being id'd as "Barys".


I ran it, and it dropped a file urlmon.exe which when submitted to VT
indicated it had already been submitted (probably yours). They're
scanning a file from temp now.

dGhKQWC2HzkZGD.exe.tmp

https://www.virustotal.com/file/dbba...is/1335057298/
 
Reply With Quote
 
 
 
 
Dustin
Guest
Posts: n/a

 
      22-04-2012, 05:06 AM
Virus Guy <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> This came in via e-mail attachment today:
>
> http://www.fileden.com/files/2012/4/...arcel_USPS.rar
>
> Password is "a" (no quotes).
>
> Can't quite make out what it's supposed to be according to VT. Mostly
> being id'd as "Barys".


Cool beans. I'll check it out tomorrow. Thanks.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      24-04-2012, 12:40 PM
Ant wrote:

> Perhaps someone should phone their support and ask why!
> "+1 888-887-7721 (USA/Canada tollfree number), +44 203-608-0138
> (UK landline number for international calls)"


http://www.bleepingcomputer.com/forums/topic451240.html

--------------
Posted Today, 03:16 AM

OK... so Monday's 0day drop/version update revealed some information I
haven't seen before. A phone number!

888-887-7721

This goes to some chimps at a company called "soft logic". I spent a few
hours poking, prodding, and yes trolling them to get the following
information. Ruin my customer's day, time for me to be the bringer of
Karma and ruin theirs hahaha!. I either spoke with a "Catherine" or a
"Louie" who were incredibly shady in their phone demeanor.

From what I gathered they are an outsourced support company (supposedly)
that provides customer service to all versions of, Smart HDD, System
Check, System Fix, and Defrag Pro. It is yet to be confirmed if this is
a couple of jack@$$es posing as Soft Logic or the real company. A
contact of mine living in India says they're a new company. By the time
this post gets read the number could have been changed.

Giving the benefit of the doubt, I did suggest that if they are the
kinda company they say they are, they will drop the contract and do
support for Dell or something. May suck but atleast it's more honest
work.
----------------
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      24-04-2012, 01:04 PM
Ant wrote:
> "FromTheRafters" wrote:
>
>> Virus Guy wrote:
>>> This came in via e-mail attachment today:
>>>
>>> http://www.fileden.com/files/2012/4/...arcel_USPS.rar
>>>
>>> Password is "a" (no quotes).
>>>
>>> Can't quite make out what it's supposed to be according to VT. Mostly
>>> being id'd as "Barys".

>
> I wonder who Bary is? It gets commands from everkosmo2012.ru and
> downloads and runs more malware from other sites (probably hacked)
> that change frequently.
>
>> I ran it, and it dropped a file urlmon.exe which when submitted to VT
>> indicated it had already been submitted (probably yours).

>
> That's just a copy it makes of itself.


Yeah, VT apparently recognized it by md5 and told me it had been
submitted about an hour earlier. It apparently left a zero length file
under the original name and created the newly named urlmon.exe and the
temp file.

>> They're scanning a file from temp now.

>
> I got something similar which turns out to be a fake disk checker
> called "S.M.A.R.T. HDD". It's wrapped in six levels of packing!
>
> Love the hard-coded error message:
> "The drives found 2393 bad sectors and 78 critical, 23 dangerous
> issues during its self test".


Is that all? D

[...]
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New malware sample (Dec 28) Black-hole Virus Guy Anti-Virus 3 30-12-2011 02:16 AM
New viral sample (Dec 8) Virus Guy Anti-Virus 6 09-12-2011 01:09 AM
Another viral sample (Nov 16) Virus Guy Anti-Virus 2 17-11-2011 02:06 AM
Another viral file available for download (pdf file) Virus Guy Anti-Virus 5 11-11-2011 01:08 AM


All times are GMT. The time now is 10:25 PM.