New viral sample (Dec 8)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 9, 2011.

  1. Virus Guy

    Virus Guy Guest

    The package of files can be found here:

    http://www.fileden.com/files/2008/7/19/2010382/DEC_8.ZIP

    Password is "a" (no quotes). Unzips to a rar file. Unpack that to get:

    ==========
    4e94e.pdf
    MVOLEE48.GIF
    24bce92d.hst
    g43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.hst
    g43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.idx
    g43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.zip
    0.2573132007008251.exe
    index.html
    ===========

    Background:

    Received spam containing this link:

    hxxp://shores.net/0bcefb/index.html

    Following that link caused this error in my firefox 2.0.0.20 browser:

    Firefox doesn't know how to open this address, because the
    protocol (hcp) isin't associated with any program.

    No idea what that's all about. The exe file is downloaded but not
    executed (on my win-98 system).

    The pdf file is then pushed at me, which I gladly download. The actual
    link to the pdf file is:

    hxxp://combijump.com/content/fdp1.php?f=43

    I was served up something from here (don't recall what it was):

    hxxp://combijump.com/main.php?page=2cd37516bfc47eba

    The index.html file contains links to these js files:

    hxxp://robinsharma.com/stcounter.js
    hxxp://serviciu-clienti.ro/ajaxam.js
    hxxp://olcsoautogumi.hu/ajaxam.js

    The first scan of the exe file by Virus Total resulted in a detection
    rate of 4/43 (9%) as of Dec 8, 2:25 pm EST. The first scan of the pdf
    file resulted in a detection rate of 15/43 (35%).

    VT says the exe file is ZBOT, the PDF is some varient of Pidief.

    I don't know what the purpose is of the gif file - I haven't submitted
    it to VT (are there known gif vulnerabilities?).

    The small hst file contains an IP address (46.45.137.206). What is the
    purpose of that?

    hxxp://46.45.137.206/ is currently serving a simple "ok!!!" text
    message.
     
    Virus Guy, Dec 9, 2011
    #1
    1. Advertisements

  2. Spam that I'll bet purported to come from "2011 NACHA - The Electronic Payments
    Association"

    URL serves up ZBot, Fakealert and a Winpcap 4.1 packet sniffer amongst other malware.
     
    David H. Lipman, Dec 9, 2011
    #2
    1. Advertisements

  3. Forgot to mention.

    HCP URL, Help Center URL Validation Vulnerability Ref: CVE-2010-1885
     
    David H. Lipman, Dec 9, 2011
    #3
  4. Virus Guy

    G. Morgan Guest

    Holy shit!

    --

    "I don't like to discriminate against terrorists based on nationality.
    If you declare war on the United States and you want to kill us,
    We're going to kill you first, period."

    October 19, 2011 - Ali Soufan (Colbert Report)
     
    G. Morgan, Dec 9, 2011
    #4
  5. Virus Guy

    Virus Guy Guest

    =========================
    Return-Path: <>
    Received: from JWVGLBI ([78.89.42.17])
    Date: Thu, 8 Dec 2011 20:02:16 +0300
    From: "LinkedIn" <>
    Subject: Alterations in FDIC temporary insurance coverage

    Each depositor insured to at least $250,000 per insured bank

    Attn: Financial Manager

    Herewith we would like to pay your attention to the latest changes in
    the FDIC insurance coverage for transaction accounts. From December 31,
    2010, through December 31, 2012 all funds in a "noninterest-bearing
    transaction account" are insured in full by the Federal Deposit
    Insurance Corporation. Please note, that this arrangement is temporary
    and besides the FDIC’s basic deposit insurance rules.

    The term "noninterest-bearing transaction account" means a conventional
    checking account or demand deposit account on which no interest is
    paid. For detailed information about this temporary FDIC arrangement,
    please refer to http://www.fdic.gov/ (hyper-linked to ->
    hxxp://shores.net/0bcefb/index.html)

    Sincerely,
    Federal Deposit Insurance Corporation.
    =========================
     
    Virus Guy, Dec 9, 2011
    #5
  6. That's two interesting javascript puzzles in one day. He also had that
    Java jar thing again. Are these supposed to work together - one to
    download with an innocuous extension and the other to change that
    extension after it hit the filesystem? Or, is that malicious server just
    throwing everything it's got at W98 because it isn't prepared for it?
     
    FromTheRafters, Dec 9, 2011
    #6
  7. Virus Guy

    G. Morgan Guest

    Heh, punny. :)

    --

    "I don't like to discriminate against terrorists based on nationality.
    If you declare war on the United States and you want to kill us,
    We're going to kill you first, period."

    October 19, 2011 - Ali Soufan (Colbert Report)
     
    G. Morgan, Dec 9, 2011
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.