Virus Virus

Virus

Detected by Antiy and Sophos as malware/malicious site DO NOT CLICK.

https://www.virustotal.com/url/90fe51d54746d21a42c7ff01186a5ef15a1a194dd32d88ae1d0abb7b4b328ce7/analysis/1347017056/

intruso, can you edit the link to read wXw. msndown. com. br, please?

the website is clean…say all online scanners …Virustotal html scan / Zulu / sucuri / unmaskparasites http://urlquery.net/report.php?id=165447

the file seems infected
https://www.virustotal.com/file/e3b3c2a2dfdd8a654db4c5dfbbb70bac9e1c812c16373f22f8a826d987e75a8d/analysis/1347018235/
Malwarebytes - Trojan.VBAgent

Sigcheck
publisher…: Microsoft
product…: Pass5
internal name…: wl-custom
file version…: 5.02.0008
original name…: wl-custom.exe

First seen by VirusTotal
2012-09-05 23:15:32 UTC ( 1 dag, 12 timer ago )

hmm …the sig say Microsoft …well will upload to avast lab :wink:

See: http://r.virscan.org/e0924d3469852ff8dc743f0237ff0e5e
It is an Infostealer Banker malware,

polonus

uploaded to Norman lab and it got a auto signature at once Troj_Generic.DWXWT (autoadded)

wl-custom.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\wl-custom.exe.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* Applications uses MSVBVM60.DLL (Visual Basic 6).
* Form uses id Form.
* Visual Basic Native Code.
* File length: 36864 bytes.
* MD5 hash: 70b896bd6bf8cea8fdf9e77b14b2aea3.
* SHA1 hash: 5cec2ef132eab5e6c221db983dcea66fe2fd348b.
* Entry-point detection: Microsoft Visual Basic 5.0/6.0.

[ Process/window information ]
* Creates a COM object with CLSID {fcfb3d23-a0fa-1068-a738- 8002b3371b5} : VBRuntime.
* Creates a COM object with CLSID {e93ad7c1-c347-11d1-a3e2- a0c90aea82} : VBRuntime6.

Hi Pondus,

This is remarkable as other copies of it has been given as safe normally, so apparently this is one of the poisoned apples in that basket.
Can you confirm. Googling the hash you gave, leads me here: http://www.threatexpert.com/report.aspx?md5=70b896bd6bf8cea8fdf9e77b14b2aea3
The ip is mentioned at: http://www.bothunter.net/live/2011-11-29/index.html as 192.5.5.241 (Dsl), Isc.Org, Internet Systems Consortium Inc, Redwood City, California, United States, Malware Controller and probably Vixie-blackholed → http://www.dotcomeon.com/

polonus

TreathExpert
http://www.threatexpert.com/report.aspx?md5=70b896bd6bf8cea8fdf9e77b14b2aea3

i uploadet it…guess it is the one you found

Thanks, Pondus, for confirming. The IP given there is certainly weird and won’t resolve, also could not find it. Just give in the search-query: “Malware for ip: 192.5.5.241” and it is obvious. Avast should add something here to the NetworkShield as to block…

polonus

Msndown. com. br connects to tracking. alwaysdownloads. com.
http://hosts-file.net/?s=tracking. alwaysdownloads. com
http://www.mywot.com/en/scorecard/tracking. alwaysdownloads. com

http://urlquery.net/report.php?id=165439 (cited by pondus)
GET /tracking202/static/landing.php?lpip=8266&202cb=2301388424436600 HTTP/1.1
Host: tracking. alwaysdownloads. com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: /
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://wXw. msndown. com. br/download/

Same IP (50.115.160.141)
baixar. msndown. com. br
http://urlquery.net/report.php?id=165672

Where oh where?

http://baixar.msndown.com.br.dedicatedornot.com/
baixar. Msndown. com. br resolves to the IP 50. 115. 160. 141
More information about baixar. msndown. com. br
Hostname: vbbserie. videobbseries. net
IP address: 50. 115. 160. 141
Country: United States
State: Missouri
City: Kansas City
ISP: Dnsslave.com
Organization: Dnsslave.com
Local Time: 2012-09-07 09:18

http://www.msndown.com.br.dedicatedornot.com/
wXw. Msndown. com. br resolves to the IP 50. 115. 160. 141
Same details (I omitted Postcode, latitude, longitude)

http://www.robtex.com/cnet/50.115.160.html
50.115.160.0/20 PROXY REGISTRATION FOR Virpus Networks Inc AS29761 (not announced) AS32875 (not registered)
Whatever that may mean.

alwaysdownloads. com hpHosts info

EMD - sites engaged in malware distribution This classification is assigned to website's engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).

Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) “fake scanners” or other social engineering and misleading tactics. This includes the activities of rogue Internet Service Providers (ISPs) that host other sites to which the EMD classification applies.

Will the real videobbseries please rise…

http://www. videobbseries. net/
http://centralops.net/co/DomainDossier.aspx?addr=http%3A%2F%2Fwww. videobbseries. net%2f&dom_dns=1&dom_whois=1&net_whois=1

http://www. videobbseries. net/ is a URI.
Domain Dossier will continue with www. videobbseries. net.
canonical name videobbseries. net.
addresses 108. 179. 230. 43

Hi Kwartet!

Read here, and some of it becomes clear: http://www.dotcomeon.com/

polonus

Well,

It’s now past 24.00 hrs, first thing when i’m active again, ok?

the download from got killed already… :stuck_out_tongue:

Norman lab

This file doesn't seem to be legit. Hence detection is kept as it is.

Files:
wl-custom.exe: Troj_Generic.DWXWT

Hi Pondus,

The initial poster created another link: http://forum.avast.com/index.php?topic=105463.0
Maybe he would not comment furthervon the banktrojan loader status and left this thread,

polonus