Alan1998 alerted me to this: Site: brennerveiculos dot com dot br/cache/efax_9057733019_pdf.zip
This is a malware threat outbreak : http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=31347
It is related to the Zeus trojan: http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=&colsearch=All&ascordesc=DESC&quantity=All&page=0?iframe=true Trojan Zbot inside zip file → https://malwr.com/analysis/YzY1ODgwMzU5MTNjNDkzMDkyOTExNzA1NjNjZTQwNzY/
So far only one to detect on VT:

{“timestamp”: “1382274374”, “sha256”: “b0f86ff6803336a76241bdd22daa46ea6fed5859147d85acb0030d3e4d49d4aa”, “analysis_url”: “/en/url/b0f86ff6803336a76241bdd22daa46ea6fed5859147d85acb0030d3e4d49d4aa/analysis/1382274374/”, “result”: 1, “verbose_msg”: “Invalid URL”}]

polonus

The server on brennerveiculos dot com is not reachable for me at the moment.

I am getting no Data.

site is down
http://www.downforeveryoneorjustme.com/http://brennerveiculos.com.br

Hi Steven Winderlich and Pondus,

Thanks you both for that good news.
It has been taken down and for a good reason.
At least Alan1998 has some good answers,
why he should not go and download that file.
Others are secure to have missed that threat.
Again for how long seeing the IP and domain history here:
http://myip.ms/info/whois/200.143.116.25/k/588959722/website/brennerveiculos.com.br

polonus

Normally these sites are just up for a few hours or sometimes some days.

And then when antiviruses start to detect them they go dowm, use another server and start from the beginning.

Yes and this PHISH from that IP seems still up and kicking: Up(nil): 200.143.116.25 to 200.143.116.25 caciva dot com dot br hxtp://www.caciva.com.br/imagens/banners/paypals/ DNS status DNSBL listed

pol

Listed at PhishTank
http://www.phishtank.com/phish_detail.php?phish_id=1371684

and that means protection for those who use OpenDNS

I caught it. I also have Zeus on the Virtual Machine. The URL was in the proccess of being taken down when I found it. very slow. Took a few tries to get the file.

The file was saved as .scr (Screen Saver). It is Zeus though.

I had no luck to get the file. Not even in a VM with Ubuntu 13.10.

Site seems to be down.

Can you upload the file somewhere and post the link here?

Will try to yes.

Deleted by OP

File is blocked by Mediafire.

Do you have another source to upload?

Like Google Drive or something else?

You could upload it on Wikisend: http://wikisend.com/

It works. And the file is blocked as FileRep Metagen (Drp)
and Dropper-Gen by Avast.

It blocked by almost everyone out there except from Bitdefender and Panda: https://www.virustotal.com/de/file/e65315616ee6ac28ec9e8f0f43ddb0f189a81b515369a72fc8a6b69db280d829/analysis/1382295546/

I dont have a WindowsVM at the moment just Ubuntu and Linux Mint.

But i will set up one when i have time.

Whoop. It is quite easy to delete. Kill the Proccess in Task Manager, C:\Users\X\Roaming\IG(xxx).

Delete that and then run a scan with MBAM.

Steven. Suggestion. Use Windows 7 VM. Not Windows 8.1. I hate Windows 8

I will use a Win7 VM. I am running Windows 8.1 at the moment, i had to reset the laptop to factory settings cause it was
crashing several times a day. I think svchost.exe was corrupted or damaged.

Maybe i will go over to Linux if Windows will stay that bad, many people switched to Linux due to Win8.
Most stayed at Windows 7. When Windows is staying at this stage and Windows 7 is outdated i think many will go over to a Mac
or Linux.

Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=1bc233e85a60405a481148b466e1cc86f&format=html

Threat Expert: http://www.threatexpert.com/report.aspx?md5=d711b3d9ca4beacb468269c5654cc515

Some more info. It modifies the registry to run on boot-up.

HKEY_CURRENT_USER → Software → Microsoft → Windows → Current Version → Run

The file is randomly named according to the C:\Users\X\Roaming[filename]

I’ll attach a picture with the virus folder name.

Please Note: The virus folders and executables files are randomly named each time and are not consistant!!

Additionally: Once the file has been run, it caps your CPU to max levels then drops. In order to delete the Roaming folder you need kill the proccess in Task Manager. Note again it will be randomly named and signed by Kemliz (Close, will modify that when I get home) MBAM works against this variant of Zbot.