Stolen Email Addr. Had URL that started a download.

system · December 3, 2011, 5:08am

I hope that I listed properly in the Subject line. I saw an Email from someone I recognized,(about 1 hr. ago-On Dec. 2 11:00pm EST) but obviously it was stolen/highjacked/obtained via malware. In any case there was a hyperlink that appeared innocent enough (not ending in .exe) but as soon as I opened it, it looked like something was being downloaded and showing a list quickly growing of Viruses it was “finding”. I pulled the modem cable, did a virus scan then a restore to the day before. Looks like I dodged a bullet. I wish to report that URL, for I did’t see a way to do it conventionally under your help link. I hope that AVAST would purposely go the link and check if a new virus is being disseminated. If not, others may see this and avoid it.

The URL is: hxxp://bbsworldcargo.com/modules/mod_wdbanners/radio.php?help120.php

Is there a “tip-off” that this URL leads to what appears to be a download without warning?

I notified the real owner of the Email about the problem.

Per request from Craig (below)-Link changed so it is not a hyper-link-Good Idea-Thanks,Dan

CraigB · December 3, 2011, 5:14am

Can you please break the link so no one is able to click on this, Change http to hxxp

system · December 3, 2011, 8:56am

dan633 post:1:

I hope that I listed properly in the Subject line. I saw an Email from someone I recognized,(about 1 hr. ago-On Dec. 2 11:00pm EST) but obviously it was stolen/highjacked/obtained via malware. In any case there was a hyperlink that appeared innocent enough (not ending in .exe) but as soon as I opened it, it looked like something was being downloaded and showing a list quickly growing of Viruses it was “finding”. I pulled the modem cable, did a virus scan then a restore to the day before. Looks like I dodged a bullet. I wish to report that URL, for I did’t see a way to do it conventionally under your help link. I hope that AVAST would purposely go the link and check if a new virus is being disseminated. If not, others may see this and avoid it.

The URL is: hxxp://bbsworldcargo.com/modules/mod_wdbanners/radio.php?help120.php

Is there a “tip-off” that this URL leads to what appears to be a download without warning?

I notified the real owner of the Email about the problem.

Per request from Craig (below)-Link changed so it is not a hyper-link-Good Idea-Thanks,Dan

Good catch.

Fake site with fake antivirus software.

Sent to Avast.

http://www.virustotal.com/file-scan/report.html?id=22fdf5150901bd742f68b11523b18465bc9d7ae7168f07b15a96b15584ae985a-1322989994

Added to the database as a Win32:Malware-gen (4.12.2011 - 111204-0)

polonus · December 3, 2011, 10:27pm

Hi Dim@rik,

OK, good catch, also interesting info on this criminal botnet redux on the WOT forum:
http://www.mywot.com/en/forum/18072-botnet-redux-mdrrdl-com?comment-117646
The given infected URL redirects to: redirects to -http://62.122.74.109/index.php?gVxc=Y8VU1RUW0vM&6g0Z=N559&Un=8GJ1FJSlUbPFQs&omAOi=yk6X&M1I3d=N6X0R92O20QBAD544MB63&vzrNf=dgVIBTFzSgs2MGJJBnF0YHQFCQlqe0FQSkA%3D&N7X8=JLV5RR0vNjFRXl&X0=QW9YKy9HWRwgNERDNDglQDd&sR0t=zVVLkUDMwMDaXY9&Fn8X=4DU0P101&IDbr=OS76CIP83FWA5T8S7X1S7W34R9X01062FWU&2W2l=089Y&YL=MDF48TSBYMUdrP1&0bu=Q7BFRM File size: 582 bytes File MD5: 6db21c770c818721e266d106396bb3ac

polonus

system · December 4, 2011, 10:08am

In the continuation of the theme … at this location is a different sample and Avast is not defined.

Heuristics would like Node32 he takes one entry (a variant of Win32/Kryptik.WOA)

http://www.virustotal.com/file-scan/report.html?id=90263e71eb24afbafa77f031449e5306791e6ee601717af07521aaaf5bd19a1b-1322992276

Sent to Avast

polonus · December 4, 2011, 4:50pm

Hi Dim@rik,

That Ukrainian ip is also known for spreading Fake-AV,

polonus

system · December 5, 2011, 2:55pm

Thanks … added a fake website to the database as malicious.

Stolen Email Addr. Had URL that started a download.

Announcements