New malware sample (Dec 28) Black-hole

Discussion in 'Anti-Virus' started by Virus Guy, Dec 29, 2011.

  1. Virus Guy

    Virus Guy Guest

    Same as before - black hole (or blackole?). Haven't had one since what
    - Dec 16?

    I'm not going to post a malware package - instead just give a link if
    you want to experience it for yourself:

    Warning: don't visit these URL's unless you know what you're doing:

    -----------------
    hxxp://virtual-coach.org/grjfv.htm

    That's the link from the spam I got today, minus a whole lot of
    ?=alpha-numberic junk trailing the .htm part of the link.

    It redirects to here:

    hxxp://chredret.ru/main.php
    -------------------

    In case they've nuked those domains:

    virtual-coach.org = 209.25.170.19
    chredret.ru = 91.222.137.170

    ==============
    Spam in question:

    Return-Path: <>
    Received: from desktop ([217.191.88.211])
    Date: Wed, 28 Dec 2011 01:14:57 +0100
    Subject: United Postal Service Tracking Number H1227mung64
    ===============

    I got one of those 0.numbers.exe files that tried to run via regsvr32 as
    well as direct-execution (but it crapped out on my win-9x system with
    KernelEx).

    And by the way, I do have a list of KernelEx API's if ANT still wants to
    see it.

    There was also a pdf file (didn't submit it to VT). I'm seeing some new
    ID's from VT regarding the exe file:

    -----------------------
    file submitted to virus total: 0.8923615323821756.exe
    Submission date: 2011-12-28 22:00:40 (UTC)
    Result: 6/ 43 (14.0%)

    DrWeb Trojan.Necurs.2
    Ikarus Worm.Win32.Cridex
    Kaspersky Trojan.Win32.Jorik.Totem.k
    Microsoft Worm:Win32/Cridex.B
    NOD32 variant of Win32/Kryptik.YCT
    Panda Bck/Qbot.AO
    --------------------------

    AV protection continues to be (generally) a joke as far as detecting
    this malware (but we all know that AV protection has been a great IT
    scam for the past 2 or 3 years).

    And Dave, I continue to note the absence of Avira in these VT scans. I
    am doubting your explanation that they don't appear because of scan
    time-outs.
     
    Virus Guy, Dec 29, 2011
    #1
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    Well, it might help if they replace the "Antivir" in the report list
    with "Avira" or "Avira Antivir".

    I didn't know that Antivir = Avira.
     
    Virus Guy, Dec 29, 2011
    #2
    1. Advertisements

  3. Virus Guy

    Dustin Guest

    That's not very surprising. You don't know many things. Sadly, you smartoff
    to those who do...
     
    Dustin, Dec 29, 2011
    #3
  4. Virus Guy

    Virus Guy Guest

    In case you're interested, this was the error that resulted when the
    0.numbers.exe file was executed. I don't know if it's possible to
    figure out what API function it was trying to use.

    0 caused an invalid page fault in module <unknown> at 0000:00770d13.

    Registers:
    EAX=00653b77 CS=01c7 EIP=00770d13 EFLGS=00010212
    EBX=0000000c SS=01cf ESP=0065f510 EBP=0065f51c
    ECX=007501cf DS=01cf ESI=00770ff9 FS=3b77
    EDX=0000000c ES=01cf EDI=ffffbaca GS=0000

    Bytes at CS:EIP:
    8b 12 33 c0 33 ff 3b d3 75 02 eb 38 8d 72 2c 0f

    Stack dump:
    ffffbaca 00770ff9 446a5758 0065f52c 00770de1 f7258128 0065fb74 0065fe38
    00770114 0065fb74 4499f780 203a0161 009d0153
    0178017e 00000000 00a300a2
     
    Virus Guy, Dec 30, 2011
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.