Another fake AV attempt linked to "Day 360 is coming"
in [Viruses]
|
From: Virus Guy on 26 Dec 2009 11:09 I came across this while doing more searches for "Day 360 is coming": setup_build7_292.exe hxxp://www. brueserberg.de/?bru=day-360-is-coming The actual full URL for that file seems to be coded, and I believe the code has a timing component to it that renders the URL invalid after some period of time. For example, the first time I got that file, the URL was this: ----------------- hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1 &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D ---------------- After a few minutes, that URL became non-operative. The last line is separated for comparison to the next time I tried it: ---------------- hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1 &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D ----------------- Note that the first 3 lines are the same, and so is a large section of the 4'th line. But the first and last 5 characters of the 4'th line are different. The .exe files are identical. VirusTotal is coming back with 4 hits: CAT-QuickHeal (Suspicious) - DNAScan Comodo Heur.Suspicious Sophos Mal/FakeAV-CD Sunbelt Trojan.Win32.Generic!SB.0 The file seems to be an executable, but when Firefox offered it to me and asked what I wanted to do with it, Firefox thought it was an Adobe PDF file (?) BTW, does anyone have an example of the latest PDF exploit? merry_christmas.pdf ?
From: FromTheRafters on 27 Dec 2009 17:03 "Virus Guy" <Virus(a)Guy.com> wrote in message news:4B363535.74AC254E(a)Guy.com... >I came across this while doing more searches for "Day 360 is coming": > > setup_build7_292.exe > > hxxp://www. brueserberg.de/?bru=day-360-is-coming > > The actual full URL for that file seems to be coded, and I believe the > code has a timing component to it that renders the URL invalid after > some period of time. For example, the first time I got that file, the > URL was this: > > ----------------- > hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1 > &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F > WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa > > W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D > ---------------- > > After a few minutes, that URL became non-operative. > > The last line is separated for comparison to the next time I tried it: > > ---------------- > hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1 > &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F > WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa > > m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D > ----------------- > > Note that the first 3 lines are the same, and so is a large section of > the 4'th line. But the first and last 5 characters of the 4'th line > are > different. The .exe files are identical. > > VirusTotal is coming back with 4 hits: > > CAT-QuickHeal (Suspicious) - DNAScan > Comodo Heur.Suspicious > Sophos Mal/FakeAV-CD > Sunbelt Trojan.Win32.Generic!SB.0 > > The file seems to be an executable, but when Firefox offered it to me > and asked what I wanted to do with it, Firefox thought it was an Adobe > PDF file (?) > > BTW, does anyone have an example of the latest PDF exploit? > merry_christmas.pdf ? That's just a filename, the same as annonce.pdf.
|
Pages: 1 Prev: Top 25 Web Design Faux Pas Next: Queries about Norton Antivirus Corporate Edition |