Another viral file (Dec 2)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 3, 2011.

  1. Virus Guy

    Virus Guy Guest

    This is similar to what I posted here on Oct 14.

    The browser decodes some java script that causes the browser to download
    a file with a name like 0.lotta-numbers.exe and tries to run the
    program. The last time it happened, the file suffered a horrible death
    when it found itself running under win-98 and cacked itself.

    This time the file didn't seem to run - there was no error message, and
    cctask indicated that it wasn't running. But I found it sitting in my
    firefox cache. So I packed up a buch of files that had the same
    time-stamp and they can be downloaded from here:

    http://199.91.152.124/czkbzuv559rg/dalcl9j45883edq/V.ZIP

    That's mediafire.com (fileden, my usual file-locker, has been down for
    the past few days).

    I'm not sure if that's a time-generated link, so let me know if it
    doesn't work.

    That file is password protected (as always, password is "a", no
    quotes). It unzips to V.RAR (which is not PW protected) and within that
    file are these:

    3938e2cd.hst 13
    F3F6D0EEd01 28,759
    main.php 110,858
    0.13663754666984929.exe 91,136
    g43kb6j34kblq6jh34kb6j3kl4.jar-38f4f004-207e8bd7.idx 99
    g43kb6j34kblq6jh34kb6j3kl4.jar-38f4f004-207e8bd7.zip 9,805
    g43kb6j34kblq6jh34kb6j3kl4.jar-38f4f004-207e8bd7.hst 13

    Someone has already done an analysis on the exe file and posted it in a
    comment on VT.
     
    Virus Guy, Dec 3, 2011
    #1
    1. Advertisements

  2. It has that malicious java jar (downloader?) with crop.class and
    zoom.class (among others) in a photo folder.
     
    FromTheRafters, Dec 3, 2011
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.