New malware sample (Dec 28) Black-hole

Discussion in 'Anti-Virus' started by Virus Guy, Dec 29, 2011.

  1. Virus Guy

    Virus Guy Guest

    Same as before - black hole (or blackole?). Haven't had one since what
    - Dec 16?

    I'm not going to post a malware package - instead just give a link if
    you want to experience it for yourself:

    Warning: don't visit these URL's unless you know what you're doing:


    That's the link from the spam I got today, minus a whole lot of
    ?=alpha-numberic junk trailing the .htm part of the link.

    It redirects to here:


    In case they've nuked those domains: = =

    Spam in question:

    Return-Path: <>
    Received: from desktop ([])
    Date: Wed, 28 Dec 2011 01:14:57 +0100
    Subject: United Postal Service Tracking Number H1227mung64

    I got one of those 0.numbers.exe files that tried to run via regsvr32 as
    well as direct-execution (but it crapped out on my win-9x system with

    And by the way, I do have a list of KernelEx API's if ANT still wants to
    see it.

    There was also a pdf file (didn't submit it to VT). I'm seeing some new
    ID's from VT regarding the exe file:

    file submitted to virus total: 0.8923615323821756.exe
    Submission date: 2011-12-28 22:00:40 (UTC)
    Result: 6/ 43 (14.0%)

    DrWeb Trojan.Necurs.2
    Ikarus Worm.Win32.Cridex
    Kaspersky Trojan.Win32.Jorik.Totem.k
    Microsoft Worm:Win32/Cridex.B
    NOD32 variant of Win32/Kryptik.YCT
    Panda Bck/Qbot.AO

    AV protection continues to be (generally) a joke as far as detecting
    this malware (but we all know that AV protection has been a great IT
    scam for the past 2 or 3 years).

    And Dave, I continue to note the absence of Avira in these VT scans. I
    am doubting your explanation that they don't appear because of scan
    Virus Guy, Dec 29, 2011
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    Well, it might help if they replace the "Antivir" in the report list
    with "Avira" or "Avira Antivir".

    I didn't know that Antivir = Avira.
    Virus Guy, Dec 29, 2011
    1. Advertisements

  3. Virus Guy

    Dustin Guest

    That's not very surprising. You don't know many things. Sadly, you smartoff
    to those who do...
    Dustin, Dec 29, 2011
  4. Virus Guy

    Virus Guy Guest

    In case you're interested, this was the error that resulted when the
    0.numbers.exe file was executed. I don't know if it's possible to
    figure out what API function it was trying to use.

    0 caused an invalid page fault in module <unknown> at 0000:00770d13.

    EAX=00653b77 CS=01c7 EIP=00770d13 EFLGS=00010212
    EBX=0000000c SS=01cf ESP=0065f510 EBP=0065f51c
    ECX=007501cf DS=01cf ESI=00770ff9 FS=3b77
    EDX=0000000c ES=01cf EDI=ffffbaca GS=0000

    Bytes at CS:EIP:
    8b 12 33 c0 33 ff 3b d3 75 02 eb 38 8d 72 2c 0f

    Stack dump:
    ffffbaca 00770ff9 446a5758 0065f52c 00770de1 f7258128 0065fb74 0065fe38
    00770114 0065fb74 4499f780 203a0161 009d0153
    0178017e 00000000 00a300a2
    Virus Guy, Dec 30, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.