!Don’t run this on your working machine! USE VM!
(How to use VM → https://github.com/xdissent/ievms)
Malicious Program:
https://www.dropbox.com/s/v4mnrpwowv2om59/InfoScan.zip
Instruction:
- Unzip
- Run ‘setup.exe’
Expected Result:
After around a minute or two, everything in C: drive is deleted.
I tested it and confirmed it’s malicious behaviour on these environment.
Windows 7 + IE 9
Windows XP + IE ?
Windows 7 + IE 9 (VirtualBox)
It’s being distributed on government website. So I reported to several organisations but it is ignored because no one can reproduce the malicious behaviour.
I hope to know what kind of environment affect the malicious behaviour of this program.
Thank you
Sean
Break these links please to hxtp
Well see the IDS alerts running for that IP here: http://urlquery.net/report.php?id=2307012
IDS alerts are commented out for policy violations so users can decide not to open these…
also see: hxtp://jsunpack.jeek.org/?report=016d95e5784dc91a76fed654f58881224f5a7011
polonus
See: http://anubis.iseclab.org/?action=result&task_id=161d6d487fa3528c495c60243925813de&format=html
Some remarks on the findings - explaining some of the experienced results…
Bugs - Heap corruption caused by std::string destructor in msvcp80.dll (8.0.50727.1433) on XP !!!
This corruption only happens on XP machines that have the 8.0.50727.1433 version of msvcp80.dll installed to C:\Windows\WinSxS. (It runs fine on Vista.)
One could also experiece installer issues with WINMM.dll 0x76B40000 0x0002D000
Web Platform Customization - ie4uinit.exe (also causing installer issues)
Aimbot like code Extensions\Cached {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046}
C:\WINDOWS\system32\WINMM.dll file corruption - should run system file checker on that corrupted file…
Also this is delivering some info on the source link of that file: http://www.mywot.com/en/scorecard/letitbit.net?utm_source=addon&utm_content=popup-donuts
For the second VT file see: http://www.fileinspect.com/fileinfo/issetup-dll/ InstallShield software produced in Schaumburg USA by Flexera Software
polonus