PUP or real malware?

Viruses and worms
1

See: http://www.virustotal.com/url-scan/report.html?id=ed3d5cb7328434ec60a79a1c06513556-1323635600
and
http://www.virustotal.com/file-scan/report.html?id=5ce6804f1b111d9497821fe7a41593ae304a44b3b1f93b652244f881186880b4-1323639363
Also: http://camas.comodo.com/cgi-bin/submit?file=5ce6804f1b111d9497821fe7a41593ae304a44b3b1f93b652244f881186880b4
packed by UPX PUP or TrojanDropper.Pakes.bx
Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=1e37c9bad3628490411555e2ce9d412d0
Found to be malicious: http://urlquery.net/report.php?id=11341

polonus

2

The i[/i] malicious site is also reported here:
http://www.browserdefender.com/site/pclin.co.kr/

and here:
http://www.malwareblacklist.com/searchClearingHouse.php?search=pclin.co.kr

3

Hi Donovansrb10,

Yes, and here: http://safeweb.norton.com/report/show?url=pclin.co.kr
Threat = Trojan.Adclicker this is malware that share the primary functionality of artificially generating traffic to pay-per-click Web advertising campaigns in order to create or boost revenue,
i.e. fraud by online criminals…

polonus

4

Avira lab

The file '0615patch.exe' has been determined to be 'CLEAN'.Our analysts did not discover any malicious content.
5

Hi Pondus,

Try what Donovansrb10 did and visit -pclin.co.kr/ BitdefendersTrafficlight will stop you from going there. Or the packed by UPX is being flagged? But also consider: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.pclin.co.kr with Trojan Adclicker,
this is the suspicious code there:
-widgetprovider.daum.net/view?url=-http:/widgetcfs1.daum.net/xml/6/widget/2009/08/19/21/59/about:blank suspicious
[suspicious:2] (ipaddr:180.70.93.29) (iframe) -widgetprovider.daum.net/view?url=-http:/widgetcfs1.daum.net/xml/6/widget/2009/08/19/21/59/about:blank
status: (referer=widgetprovider.daum.net/view?url=-http:/widgetcfs1.daum.net/xml/6/widget/2009/08/19/21/59/4a8bf74a16ae2.xml&fontcolor=&link=1&position=2&chatroom=CrazyServer&fontlarge=medium&bgcolor=EBEBEB&&width=200&height=300&widgetId=455&scrap=1)saved 43163 bytes 5a314bd06b16ac4d44f9bc01e5f60033df6d9390
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [iframe] -widgetprovider.daum.net/view?url=-http:/widgetcfs1.daum.net/xml/6/widget/2009/08/19/21/59/about:blank
info: [decodingLevel=0] found JavaScript
error: undefined variable window.frames[B.getIframeId()]
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var window.frames[B.getIframeId()] = 1;
error: line:1: …^
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

pol

P.S. and for the blacklists, look here: http://rbls.org/180.70.93.29

D

6

Virustotal unpack and scan - URL removed

http://www.virustotal.com/file-scan/report.html?id=11cd4194641707448ffcf5dac3cf42ff7f450319c7ae1ebe82e44b6c9083faa6-1323707910
http://www.virustotal.com/file-scan/report.html?id=d4cceb2642b8af870c41cc3fb3b4a695f478fb11f373bbf4f6aa13ce5efcd4d1-1323707759
http://www.virustotal.com/file-scan/report.html?id=c13fcbd60abfbcddf8b04491753ed90c29c93980be1ed969be819d69792ec599-1323707913

also see the “Show all” info…all files are Old!

sendt avast lab :wink:

7

Hi Pondus,

Thanks for forwarding, good we dug a bit deeper then,

pol

8

I didn’t visit the website, I just used UrlVoid to get the site’s malicious information.

On that note, I didn’t actually use my HTML viewing program. :wink:

Donovan

9

Hi Donovansrb10,

I correct that, you just reported the scan results,

polonus