foto*.com Trojan

Hi,

My sister who uses the latest Avast! product with the most recent definitions updates got infected today.

She thought she was opening an attached image file …, it was shown as 'Imagens anexadas: DSC_24.jpg - DSC_33.jpg - DSC_55 .jpg … and each filename is actually an hyperlink. When clicked on it’ll quickly open up a new IE TAB and closes and followed by a user download prompt, for the file name it showed foto*.com (wildcard used to indicate something else before the .com).

Avast didn’t detect this threat this early in this stage, my sister carelessly clicked ‘Open’ the file and got infected … then Avast complained about ‘some’ of the Trojan files.

Further details can be found on the type of infection on the trust worthy informational sites http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=179655, http://www.threatexpert.com/report.aspx?md5=9665fb2bd9838977fb252b98319818a2

I also do have three of the bad links for one to be-able to retrieve the infections to be used to make additional signatures, is there someone special on the Avast! team who accepts PM containing the three bad URLs?

Was this helpful enough?

Maybe you can post here changing http with hxxp in the links.

Hi Tech,

ok, …

hxxp://i6.com.br/zwehbr
hxxp://cli.gs/B0enVu
hxxp://i6.com.br/w6kzkc

these links redirect and i checked the redirected pages using anubis here are the results:

http://anubis.iseclab.org/?action=result&task_id=1319d075cba1b3b44d9250f252a9a0a4a&format=html

http://anubis.iseclab.org/?action=result&task_id=1022b221c4c5bd344e5c127286e134c55&format=html

http://anubis.iseclab.org/?action=result&task_id=1f163972d02581fb4a5fcadb32cf54338&format=html

the final one being the biggest report

Norton safe web says this :

http://safeweb.norton.com/report/show?name=fromru.su

Hi Phant0m``,

It is where it redirects to.
Seven suspicious inline scripts are being found at where it redirects to:
tfotos dot fromru dot su

Script outside of … block

if (window!=window.top) {
document.write('div');
dwrite = document.write;
document.write = function...

Script outside of … block

var img = new Image();
img.src = 'http://www.tns-counter.ru/V13a***R>' + document.referrer.replace(...

Script outside of … block

ru = '(none)';
u="count.rbc.ru/p103.gif";d=document;nv=navigator;na=nv.appName;p=0;j="N";
n=(na.sub...

Script outside of … block

var qipbar_flag =  false;
frameLoad = function()

{Script outside of … block

LP_banner.init({
step:        12,
interval:    5, // ????? ????? ???????? ???.

timeout: 2, // ??..

Script outside of … block

if (window!=window.top) {
document.write = dwrite;
document.write('');
}

polonus

It is redirecting to

  1. xfotosx01 DOT fromru DOT su/fotos_237 DOT com ------ cli DOT gs/B0enVu
  2. tfoto DOT fromru DOT su/fotos DOT com ------ i6 DOT com DOT br/zwehbr

Hi malware fighters,

Again after all this time this malware has turned up its ugly head and was found here (28-05-2010): http://www.UnmaskParasites.com/security-report/?page=protesto-juridico.newmail.ru

2 of the mentioned here: http://safeweb.norton.com/report/show?name=protesto-juridico.newmail.ru

But there are more suspicious scripts there:
Suspicious Inline Scripts
Is there any good reason for this script to be outside of … block?

if (window!=window.top) {
document.write(‘div’);
dwrite = document.write;
document.write = function…

Is there any good reason for this script to be outside of … block?

document.write("<a href='htxp://www.liveinternet*ru/click;pochta-ru' "+
"target=_blank><img src='ht...

Is there any good reason for this script to be outside of … block?

v*r img = new Image();
img.src = 'hXtp://www.tns-counter.ru/V13a***R>' + document.referrer.replace(...

Is there any good reason for this script to be outside of … block?

u="count.rbc*ru/p103.gif";d=document;nv=navigator;na=nv.*ppName;p=0;j="N";
n=(na.substring(0,2)=="M...

Is there any good reason for this script to be outside of … block?

v*r qipbar_flag = false;
frameLoad = function()
{
if (qipbar_flag ||
(window.n*vigator.userAgent.s...

Is there any good reason for this script to be outside of … block?


if (window!=window.top) {
document.wr*te = dwrite;
document.wr*te('');

polonus

Web of Trust marked this site as MALICIOUS

Source domain scorecard:
http://www.mywot.com/en/scorecard/fromru.su

Hi Sartigan,

Look here 188 threats found: http://safeweb.norton.com/report/show?url=fromru.su&x=13&y=11

See this report also: http://www.malwareurl.com/listing.php?domain=xvideox01.fromru.su

Stay away folks, virut is no joke to land onto your machine, or you like say bye bye to your executables and your OS…

polonus