How / where do I report a malicous site that has a trojan?

Discussion in 'Virus Information' started by Matt Carter, Dec 5, 2009.

  1. Matt Carter

    Matt Carter Guest

    I am on Windows 7 Pro x64 IE 8 and I have Microsoft Security Essentials
    Microsoft Security Essentials Version: 1.0.1611.0
    Antimalware Client Version: 2.0.6212.0
    Engine Version: 1.1.5302.0
    Antivirus definitions: 1.71.527.0
    Antispyware definitions: 1.71.527.0

    I went to a website, Accuweather.com to check the weather and THIS site
    popped up! It is a Trojan and it wanted me to download / install it's CRAP
    file!

    I am hoping someone can tell me where I can HELP people out, to prevent this
    CRAP from spreading. I am looking to have some security experts (as I am NOT
    qualified) determine that this site should be blocked on a Blacklist to
    prevent it's Trojan from spreading.
    Is there a website(s) that I can submit this link below that I "THINK" /
    feel / know is a malicious site and I want to "share" that with other to have
    people BLOCK it for their AntiVirus system, say for Security Essentials, AVG,
    McAfee, TrendMicro, Norton, etc.

    Thank you.

    Matt


    THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE
    http://servscanner03.com/2/?sess=%3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM
     
    Matt Carter, Dec 5, 2009
    #1
    1. Advertisements

  2. Matt Carter

    RJK Guest

    That's very clever, ....including the URL to what you suspect is malware !

    regards, Richard
     
    RJK, Dec 5, 2009
    #2
    1. Advertisements

  3. From: "RJK" <>

    | That's very clever, ....including the URL to what you suspect is malware !

    Richard, what you did wasn't too good as yous quoted the post with a possibly malicious
    URL and FAILED to obfuscate said URL !
     
    David H. Lipman, Dec 5, 2009
    #3
  4. From: "Matt Carter" <.(doNOTspam)>

    | I am on Windows 7 Pro x64 IE 8 and I have Microsoft Security Essentials
    | Microsoft Security Essentials Version: 1.0.1611.0
    | Antimalware Client Version: 2.0.6212.0
    | Engine Version: 1.1.5302.0
    | Antivirus definitions: 1.71.527.0
    | Antispyware definitions: 1.71.527.0

    | I went to a website, Accuweather.com to check the weather and THIS site
    | popped up! It is a Trojan and it wanted me to download / install it's CRAP
    | file!

    | I am hoping someone can tell me where I can HELP people out, to prevent this
    | CRAP from spreading. I am looking to have some security experts (as I am NOT
    | qualified) determine that this site should be blocked on a Blacklist to
    | prevent it's Trojan from spreading.
    | Is there a website(s) that I can submit this link below that I "THINK" /
    | feel / know is a malicious site and I want to "share" that with other to have
    | people BLOCK it for their AntiVirus system, say for Security Essentials, AVG,
    | McAfee, TrendMicro, Norton, etc.

    | Thank you.

    | Matt


    | THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!
    | h**p://servscanner03.com/2/?sess=%
    | 3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM

    In the future plase do NOT post possibly malicious URLs without first obfucating the URL
    as I have doen in my reply by changing http to h**p. Thus the URL is no longer
    "clickable".

    The URL has been reported.
    Not that it will do much good. The rogue malware URLs now have very short lifespans.
     
    David H. Lipman, Dec 5, 2009
    #4
  5. You mean you read his whole post but missed the part about "THIS IS A
    TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!" or are saying
    that idiots will skip reading his post and go straight to the url and click
    on it.



    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
     
    The Real Truth MVP, Dec 6, 2009
    #5
  6. Matt Carter

    Hot-text Guest

    A PING

    * + 78.47.230.38 servscanner03.com
    |___ 21 File Transfer Protocol [Control]
    |___ 220 FTP Server ready...
    |___ 22 SSH Remote Login Protocol
    |___ SSH-2.0-OpenSSH_5.2..
    |___ 80 World Wide Web HTTP
    |___ HTTP/1.1 403 Forbidden..Date: Sun, 06 Dec 2009 07:50:33 GMT..Server:
    Apache..Connection: close..Content-Type: text/html; charse
    |___ 111 SUN Remote Procedure Call
     
    Hot-text, Dec 6, 2009
    #6
  7. Matt Carter

    Virus Guy Guest

    VT scan of file Antivir-93cf_2005-3.exe:

    http://tinyurl.com/y93br4b

    Only 1 hit out of 41:

    Prevx 3.0 2009.12.06 Medium Risk Malware Dropper

    Prevx information about this file:

    http://tinyurl.com/y9d6e5z

    File Behavior

    ANTIVIR-8023_2018-1[1].EXE has been seen to perform the following
    behavior:

    * Executes a Process
    * Installs a browser helper object (BHO)
    * Registers a Dynamic Link Library File
    * Creates new folders on the system
    * This Process Deletes Other Processes From Disk
    * Copies files
    * Enables an In Process Object/Server - Common with DLL Injections
    * Creates a new Background Service on the machine
    * Injects code into other processes
    * This process creates other processes on disk

    ANTIVIR-8023_2018-1[1].EXE has been the subject of the following
    behavior:

    * Executed as a Process
    * Deleted as a process from disk

    Country Of Origin

    The filename ANTIVIR-8023_2018-1[1].EXE was first seen on Dec 6 2009 in
    the following geographical region of the Prevx community:

    * GREAT BRITAIN on Dec 6 2009

    File Name Aliases

    ANTIVIR-8023_2018-1[1].EXE can also use the following file names:

    * 21682525.EXE
    * DPLUMWYLUB-753.PMS.EXE
    * TMP.0QX6X7

    Filesizes

    This file has been seen with the following file size:

    * 163,840 bytes
     
    Virus Guy, Dec 6, 2009
    #7
  8. Hey Matt - Virus Guy's post also demonstrates a good way to make the
    anti-malware community aware of a new incarnation of malware. If you are
    careful enough with the handling of malware (as Virus Guy apparently is)
    you can capture the actual malware executable file and submit it to
    scanning at Virustotal.com (VT) and from there many vendors will be made
    aware of this new threat.

    Targeting the website as you suggest is not a bad idea, but as David
    Lipman suggests is a little like swatting flies
    Nice catch! Are you using "view-source" on 98? I miss that scheme on XP.
     
    FromTheRafters, Dec 6, 2009
    #8
  9. Matt Carter

    Virus Guy Guest

    I'm noticing that my tinyurl link isin't working.

    I re-submitted the file to VT (and VT didn't indicate that it had
    already seen it before ?).

    VT is now reporting 4 hits:

    a-squared Trojan-Downloader.Win32.FraudLoad!IK
    Ikarus Trojan-Downloader.Win32.FraudLoad
    Kaspersky Trojan-Downloader.Win32.FraudLoad.wwvb
    Prevx Medium Risk Malware Dropper

    This VT link works:

    http://tinyurl.com/yhuh9ny
    Actually, I just cut and pasted the URL into firefox and sat back and
    watched the fireworks. When-ever that doesn't work, I'll try wget.

    With these fake-AV scans I will usually, eventually get a firefox popup
    asking what I want to do with the .exe file that's being pushed at me.
    I save it to my /virus/ folder and as soon as it's downloaded, I fire it
    off to VT. If it's a compressed file (at least, compressed using .zip
    or something that winrar can unpack) then I'll decompress it first
    before submission.
     
    Virus Guy, Dec 7, 2009
    #9
  10. Matt Carter

    RJK Guest

    Ooops ! ...quite right ! ...

    regards, Richard

    ....age doesn't come on its' own !
    ....the obvious is sometimes overlooked,
    ....and I, recently, seem to be doing a lot of "overlooking." !!!
     
    RJK, Dec 7, 2009
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.