New Virus (Dec 12)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 12, 2011.

  1. Virus Guy

    Virus Guy Guest

    Got a few more of these today. Two of which I checked, and one URL was
    taken down, one still worked. So I'm posting the results of the working

    I captured two temporary files that I've never gotten before (they are
    deleted from \temp as soon as I kill java.dll) but this time I grabbed
    them. I note this interesting string inside them:

    Obfuscation by Allatori Obfuscator v3.5

    I'm trying to upload this package to fileden, but I'm having a hard time
    bringing up the file-upload page right now.

    I'll post back when I've got it. So if anyone else wants to grab these


    Original spam-link:

    hxxp:// ->

    Subject: ACH transaction report
    Date: Mon, 12 Dec 2011 19:40:48 +0900
    Return-Path: <>
    Received: from GPXQRNQGS ([])

    Files created / modified:


    c:\windows\application data\mozilla\firefox\profiles\4ncwclw6.default


    c:\windows\application data\sun\java\deployment\cache\javapi\v1.0\jar

    c:\windows\application data\sun\java\deployment\host

    c:\windows\application data\sun\java\deployment\log


    pdf download from: -> -> -> -> kquery.js (1) -> -> kquery.js (2) -> -> kquery.js (3)
    Virus Guy, Dec 12, 2011
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    Password is "a" (no quotes). Unpack rar to get files.

    (sorry for posting the URL to the pdf file without obfuscation)

    The jar_cache files are new. Hope they are useful.
    Virus Guy, Dec 12, 2011
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    Wow - is everyone on vacation?

    Here are a bunch of fresh URL's that came in today - all of them being
    that stupid "ACH payment" spam.

    Warning: These are malicious URL's. Do not follow them unless you know
    what you're doing.


    These URL's came from a different class of spam today. I haven't tried
    them yet:

    Virus Guy, Dec 12, 2011

  4. SSDD

    There wasn't anything really new about the malware associated with the Black Hole Exploit
    David H. Lipman, Dec 12, 2011
  5. Virus Guy

    Virus Guy Guest

    Was the use of Allatori Obfuscator known?

    What part of the cocktail of files I've been posting (if any) is the
    Carberp payload?
    Virus Guy, Dec 12, 2011
  6. Allatori Obfuscator has been seen before.

    Carberp payload ?

    I ran the first exploit site and it was the same.

    I ran rthe last four sites and two were active and I got results and their payload was a
    different site. I assume that's what you mean by Carberp payload.

    Those two were...
    and they had the same results.
    David H. Lipman, Dec 12, 2011
  7. Virus Guy

    Virus Guy Guest

    Reports from early december about Black Hole say it's being paired with

    But these same reports seem to talk more about browser hijacking as the
    exposure mechanism - not following links in spam.
    Virus Guy, Dec 12, 2011
  8. I see - thanx.
    David H. Lipman, Dec 13, 2011


    " Win32/Carberp is a family of trojans that may be delivered via malicious code, for
    instance by variants of Exploit:JS/Blacole. "

    JS/Blacole has been associated with CVE-2010-0840

    The Nacha spam Java has been so far associated with CVE-2011-3544
    David H. Lipman, Dec 13, 2011
  10. Virus Guy

    Virus Guy Guest

    I think the malware that I've been seeing (and posting here) is being
    spammed by the Cutwail botnet. The full payload apparently includes
    SpyEye and Bobax. Have we confirmed that?
    Virus Guy, Dec 13, 2011

  11. No. Different malicious family groups.
    Different email bodies and URL formats.

    What they do have in common in the Black Hole Exploit Kit.
    David H. Lipman, Dec 13, 2011
  12. Virus Guy

    Virus Guy Guest

    For what it's worth, I can't find anything on the web linking Black hole
    (or Blacole?) and the use of Allatori obfuscator.
    Virus Guy, Dec 13, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.