http://virusscan.jotti.org/en/scanresult/0ff465579a7ce5235bf37c1429673cbe736b0586
mdl_trojan Winlock/FakePoliceAlert to unknown_exe miised by avast see:
http://www.virustotal.com/file-scan/report.html?id=e874026aeae1c7182d8155dc2ca76887e1b31bd882f3626a56b7a0d3a9dc4531-1324293612
see: -http://urlquery.net/report.php?id=12533
WOT would stop you to go there any way because of very bad web rep:
http://www.webutation.net/go/review/git7868777777777.nl.ai
pol
http://virusscan.jotti.org/en/scanresult/f5df750c0717aefbc74bc8686f0f117f0c7acb36
https://www.virustotal.com/file-scan/report.html?id=737e2c8e1729b860c65e4daf012e7eb4ec9855a9701ea3997626bb37167790dc-1324305873
Hi razoreqx,
Good find. PM-ed you about whyI think it is definitely trojan malcode i.m.o. Thanks for adding to avast detection,
pol
No thanks to you my friend! You’re an amazing researcher (and a good teacher)!
https://anubis.iseclab.org/?action=result&task_id=1f66db2b0f30ceea42dc774349e143d39&format=html
Trojan.Dropper
http://virusscan.jotti.org/en/scanresult/36084b8cef9c33f286ed25e79a2d422978ed6c61
FakeAV.HDD
Server DNS Name: manateigolkey.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) manateigolkey.com
Others Cache-Control: no-cache
Server DNS Name: thelangleuber.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) thelangleuber.com
Others Cache-Control: no-cache
Server DNS Name: sixboysowners.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) sixboysowners.com
Others Cache-Control: no-cache
Server DNS Name: lotughtdenve.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) lotughtdenve.com
Others Cache-Control: no-cache
Server DNS Name: gelongotbalebs.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) gelongotbalebs.com
Others Cache-Control: no-cache
Server DNS Name: shatretodangun.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) shatretodangun.com
Others Cache-Control: no-cache
Server DNS Name: cozumesubar.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) cozumesubar.com
Others Cache-Control: no-cache
Server DNS Name: rubesolanolex.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) rubesolanolex.com
Others Cache-Control: no-cache
Server DNS Name: zownerubpres.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) zownerubpres.com
Others Cache-Control: no-cache
Server DNS Name: nuberolubenyc.com Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) nuberolubenyc.com
Others Cache-Control: no-cache
Not detected by avast - TR/Crypt.CFI.Gen- see: http://www.virustotal.com/url-scan/report.html?id=132341ba37080f8939a990e881d2502c-1324301045
and
http://www.virustotal.com/file-scan/report.html?id=bda30a652d09b6786feada3c8a44e1258d20df0bc9525986e16b3b7c28b1e787-1324304650
polonus
https://anubis.iseclab.org/?action=result&task_id=1843010ff24a4968479ef2f65debdcdf4&format=html
http://www.threatexpert.com/report.aspx?md5=ede031e94dba203b2d027e2334a4c352
That looks like a CNET download installer…FP ?..or does it comes with AdWare
sigcheck:
publisher…: CNET Download.com
copyright…: CBS Interactive
product…: CNET Download.com Installer
description…: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
Got the ThreatExpert report back on that too. Remind me never to download anything from cNET!!
Im not sure I would call this FP. Did you see the remote host calls?
00000000 | 3041 3043 7A75 7443 3051 7443 3046 7442 | 0A0CzutC0QtC0FtB
00000010 | 3057 7443 3047 7443 3049 7443 3046 7443 | 0WtC0GtC0ItC0FtC
00000020 | 3054 7443 3051 325A 3046 7443 3052 7443 | 0TtC0Q2Z0FtC0RtC
00000030 | 3046 7443 3048 744E 3050 3143 3049 3044 | 0FtC0HtN0P1C0I0D
00000040 | 7A75 3151 3147 3149 3151 7446 3152 3146 | zu1Q1G1I1QtF1R1F
00000050 | 3148 744E 3055 3049 3044 7A75 7444 7444 | 1HtN0U0I0DzutDtD
00000060 | 7444 3043 7442 7A79 3043 3042 7443 7A7A | tD0CtBzy0C0BtCzz
00000070 | 7942 7443 3044 7443 3041 7945 7444 744E | yBtC0DtC0AyEtDtN
00000080 | 3057 3056 7A75 7944 7446 7443 744E 3057 | 0W0VzuyDtFtCtN0W
00000090 | 3053 3050 7A75 7442 744E 3050 3143 3053 | 0S0PzutBtN0P1C0S
000000A0 | 3259 3153 7A75 744A 3156 3057 3150 3043 | 2Y1SzutJ1V0W1P0C
000000B0 | 3154 3143 3150 744E 3052 3053 7A75 7449 | 1T1C1PtN0R0SzutI
000000C0 | 744E 3054 304B 7A75 7944 7442 7943 7943 | tN0T0KzuyDtByCyC
000000D0 | 7A7A 744E 3057 3150 3043 3154 3143 3150 | zztN0W1P0C1T1C1P
000000E0 | 3053 3150 3142 3142 314C 3146 3147 7A75 | 0S1P1B1B1L1F1Gzu
000000F0 | 7443 7A79 7942 7942 3154 7944 3151 3152 | tCzyyByB1TyD1Q1R
00000100 | 7447 7A7A 7A79 7443 7944 7447 3154 3150 | tGzzzytCyDtG1T1P
00000110 | 7944 3150 7447 7943 7942 3151 7944 7447 | yD1PtGyCyB1QyDtG
00000120 | 3152 7443 314F 7945 3151 3151 7441 3152 | 1RtC1OyE1Q1QtA1R
00000130 | 7444 3153 7942 7442 744E 3049 3052 3056 | tD1SyBtBtN0I0R0V
00000140 | 3045 3052 7A75 7944 7446 7442 7442 744E | 0E0RzuyDtFtBtBtN
00000150 | 3042 3052 3057 7A75 3049 3045 3058 3050 | 0B0R0Wzu0I0E0X0P
00000160 | 304C 304F 3052 3045 7446 3045 3058 3045 | 0L0O0R0EtF0E0X0E
00000170 | 744E 3048 3154 3142 304C 304D 7A75 7443 | tN0H1T1B0L0MzutC
00000180 | 744E 3052 304E 3154 3148 3150 7A75 3152 | tN0R0N1T1H1Pzu1R
00000190 | 744F 7441 3041 744F 7944 3043 3257 314C | tOtA0AtOyD0C2W1L
000001A0 | 3147 3151 3146 3257 3142 744F 7944 3043 | 1G1Q1F2W1BtOyD0C
000001B0 | 3142 3255 3142 325A 3150 3148 7441 7442 | 1B2U1B2Z1P1HtAtB
000001C0 | 744F 7944 3043 3142 3154 3148 3145 3149 | tOyD0C1B1T1H1E1I
000001D0 | 3150 3156 7443 7446 3150 3256 3150 744E | 1P1VtCtF1P2V1PtN
000001E0 | 304C 3154 3147 314E 7A75 3045 3147 314E | 0L1T1G1Nzu0E1G1N
000001F0 | 3149 314C 3142 314D 744E 3049 3045 3056 | 1I1L1B1MtN0I0E0V
00000200 | 3150 3143 7A75 7943 7446 7444 7446 7442 | 1P1CzuyCtFtDtFtB
00000210 | 7A79 7444 7444 7446 7442 7443 7A7A 7444 | zytDtDtFtBtCzztD
00000220 | 744E 304A 3053 7A75 7443 744E 3142 325A | tN0J0SzutCtN1B2Z
00000230 | 3154 3143 325A 3150 3151 7A75 7443 744E | 1T1C2Z1P1QzutCtN
00000240 | 3142 325A 3154 3148 3145 7A75 7443 7444 | 1B2Z1T1H1EzutCtD
00000250 | 7443 7443 7441 7945 7444 7443 744E 304C | tCtCtAyEtDtCtN0L
00000260 | 304D 3156 3053 3045 3043 7A75 7442 744E | 0M1V0S0E0CzutBtN
00000270 | 3154 3145 314C 304C 3146 3154 3151 3054 | 1T1E1L0L1F1T1Q0T
00000280 | 314C 3148 3150 7A75 7945 7943 7A7A 744E | 1L1H1PzuyEyCzztN
00000290 | 3154 3145 314C 3050 3143 3146 3151 3044 | 1T1E1L0P1C1F1Q0D
000002A0 | 3154 325A 3150 7A75 7442 7444 7444 7945 | 1T2Z1PzutBtDtDyE
000002B0 | 7447 7444 7441 7447 7443 7444 744E 3154 | tGtDtAtGtCtDtN1T
000002C0 | 3145 314C 3050 3143 3146 3151 3053 314C | 1E1L0P1C1F1Q0S1L
000002D0 | 3254 3150 7A75 7945 7942 7442 7A79 7444 | 2T1PzuyEyBtBzytD
000002E0 | 7942 7A7A 744E 3145 3154 314E 3150 3048 | yBzztN1E1T1N1P0H
000002F0 | 314C 3142 325A 3146 3143 3255 7A75 3149 | 1L1B2Z1F1C2Uzu1I
00000300 | 3146 3154 3151 314C 3147 314E 3050 3154 | 1F1T1Q1L1G1N0P1T
00000310 | 314E 3150 7448 7942 7443 7A79 744F 7441 | 1N1PtHyBtCzytOtA
00000320 | 3042 3257 3150 3149 3152 3146 3148 3150 | 0B2W1P1I1R1F1H1P
00000330 | 3050 3154 314E 3150 7448 7442 7A79 7942 | 0P1T1N1PtHtBzyyB
00000340 | 744F 7441 3042 3146 314F 314F 3150 3143 | tOtA0B1F1O1O1P1C
00000350 | 3050 3154 314E 3150 7448 7443 7441 7944 | 0P1T1N1PtHtCtAyD
00000360 | 7A79 | zy
This went over port 80. Looks like a CERT?
Do i need to send the file to avast.com or virus total link is ok ?
send it in a password protected zip file to virus @ avast.com
mail subject: undetected sample
zip password: infected
it is recommended to use a zip program that also encrypt the file, this will prevent it form being blocked
winrar or 7zip will do this…
Pondus,
You can also find it here: http://forums.malwarebytes.org/index.php?showtopic=102430
contributor = osso Just searched for the MD5 hash, easy peasy,
polonus
Not detected unknown_file_Delivery.Pdf: http://www.virustotal.com/url-scan/report.html?id=2760a374f86eae024e9093bece8fbff9-1324426373
see: http://www.virustotal.com/file-scan/report.html?id=a507423dafb1b47af556093f48f21ded75801a0b78d1d422074a802b13079d85-1324430098
Detected by DrWeb URL scanner:
Checking: -http://academiamates.com/Delivery.zip?PuremobileIncID97089437
Engine version: 5.0.2.3300
Total virus-finding records: 2953092
File size: 47.07 KB
File MD5: 93e77bfff47d620ace7cce9c6a303fe0
-http://academiamates.com/Delivery.zip?PuremobileIncID97089437 - archive ZIP
-http://academiamates.com/Delivery.zip?PuremobileIncID97089437/Delivery.Pdf____________________________________________________________________________________.exe infected with Trojan.Siggen3.31711
polonus
Adware Downloader
http://virusscan.jotti.org/en/scanresult/328f87e09b442d34377f9e1b8ae6f38ba8590946
http://www.threatexpert.com/report.aspx?md5=38a7083ec6feb55dfca2a0c2607701e4
Hi razoreqx,
Is this report somehow related to it? see: http://www.threatexpert.com/report.aspx?md5=5281fd5adcfc75202622bc586043e282
See: http://jsunpack.jeek.org/dec/go?report=d495bbeb8ebb44c204e25422b65d814d1f220d0e
polonus
I just got that back about 10 mins ago… You’re fast
Not bashing CNET but anything that modifies my firewall rules, and without asking I have an issue with!
http://www.threatexpert.com/report.aspx?md5=bb411fef75d17a07bc82da72b67919cc
http://virusscan.jotti.org/nl/scanresult/d443623bd73f4f10a8caa76b5902bf5d1524716a
http://support.clean-mx.de/clean-mx/viruses.php?domain=we-care.com&sort=email%20asc
https://anubis.iseclab.org/?action=result&task_id=174430ff4cd876654254372d4c6abb2de&format=html