tag:blogger.com,1999:blog-166393339978616430Tue, 19 Jun 2012 09:47:00 +0000arbor networksbotsmalwareasertsubmittedroguegeneralexploitstormdnschangerhttp://uploadmalware.blogspot.com/noreply@blogger.com (UploadMalware.com)Blogger29125tag:blogger.com,1999:blog-166393339978616430.post-6360289382060679760Sat, 24 May 2008 01:32:00 +00002008-05-23T20:35:41.758-05:00malwaregeneral<p class="MsoNormal">Summer break is just around the corner and I started to ask myself if we would notice the normal influx of malware we used to see from students out on break in the not too distant past. </p> <p class="MsoNormal">With <span style=""> </span>large crime-ware groups operating most of the malware we see and hear about daily, it seems like we forgot about the so called “script kiddies” who used to bring so much burden to the anti-malware world at this time of year.</p> <p class="MsoNormal">Last summer it seems like the script kiddies had dropped off the face of the planet, but maybe they were just over shadowed by all the hype and media attention that the RBN and Storm were drawing last year. <span style=""> </span>I personally think that this was the case, they weren’t gone we just didn’t hear anything about them because they weren’t the huge impact they had been in the past. With thousands of new malwares being seen daily would the few extra hundred a week (or month) be really that noticeable in the overall picture.</p> <p class="MsoNormal">I guess only time will tell, but look out for new malware to come out this summer!</p><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/dTCE8a52L8g" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/dTCE8a52L8g/will-summer-break-bring-normal-malware.htmlnoreply@blogger.com (UploadMalware.com)5http://uploadmalware.blogspot.com/2008/05/will-summer-break-bring-normal-malware.htmltag:blogger.com,1999:blog-166393339978616430.post-7524392406428990002Mon, 12 May 2008 01:06:00 +00002008-05-11T21:04:16.482-05:00malwarednschangerexploitMike from UploadMalware.com's team has discovered a mass file injection attack going around injecting the 2 urls below into sites running any version of phpbb forum software<br /><br />hxxp://free.hostpinoy.info/f.js<br />hxxp://xprmn4u.info/f.js<br /><br />The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.<br /><br />At the time of this writing over 400,000 hits are shown in Google when you search for the urls.<br /><br />If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)uploadmalware.com<br /><pre id="tabulado"><blockquote>Antivirus Version Last Update Result<br />AntiVir 7.8.0.17 2008.05.11 DR/Dldr.DNSChanger.Gen<br />AVG 7.5.0.516 2008.05.11 DNSChanger.AE<br />ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806<br />F-Secure 6.70.13260.0 2008.05.12<br /> Trojan.Win32.DNSChanger.clm<br />Ikarus T3.1.1.26.0 2008.05.12<br /> Virus.Trojan.Win32.DNSChanger.chg<br />Kaspersky 7.0.0.125 2008.05.12<br /> Trojan.Win32.DNSChanger.clm<br />Norman 5.80.02 2008.05.09 Vundo.gen171.dropper<br />Prevx1 V2 2008.05.12 Cloaked Malware<br />Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam<br />TheHacker 6.2.92.307 2008.05.11 Trojan/DNSChanger.chg<br />Webwasher-Gateway 6.6.2 2008.05.11<br /> Trojan.Dropper.Dldr.DNSChanger.Gen</blockquote><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/8eVgeTkgp-M" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/8eVgeTkgp-M/mass-file-injection-redirecting-to-zlob.htmlnoreply@blogger.com (UploadMalware.com)3http://uploadmalware.blogspot.com/2008/05/mass-file-injection-redirecting-to-zlob.htmltag:blogger.com,1999:blog-166393339978616430.post-7959538337922764123Sun, 04 May 2008 15:45:00 +00002008-05-04T15:02:30.292-05:00malwarestormbots<p class="MsoNormal">One of our researchers at UploadMalware.com has found indications of a new storm worm variant moving in. <span style=""> </span></p> <p class="MsoNormal">At the time of this posting we have not had any reports of spam from the botnet using the 3 domains that were found in the research, but the files are definitely there and the domains are fast fluxing as per the normal method. We can only presume they are gearing up for a mother’s day storm campaign to raise their numbers.</p> <p class="MsoNormal">The three domains we have found to this point are: (visit at your own risk)</p> <p class="MsoNormal"></p><blockquote>stateandfed.cn, apartment-mall.cn and centerprop.cn</blockquote><p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The file load.exe on execution copies itself to %windir%\libor.exe and drops the standard peers.ini as gogora.config. Libor.exe is then added to the run key in the registry to allow execution every reboot.</p> <p class="MsoNormal">So not to add to the problem I personally only ran the exe with an internet connection for about 1 minute and it contacted ~1700 other infected boxes. <span style=""> </span>Other research done by members of UploadMalware.com indicates approximately 100,000 or more which are still infected (number was taken by methods other than running the file).</p> <p class="MsoNormal">This proves contrary to <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9079653">computerword.com’s</a> article that Microsoft had killed the storm worm.</p> <p class="MsoNormal">The article had already been strongly disputed by <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9080261&amp;intsrc=hm_list">researchers</a>. </p> <p class="MsoNormal">Storm worm is alive and well, it may be smaller then when it first came onto the scene, but it seems when their numbers dwindle they come back with another holiday targeted mail campaign and boost the numbers back up. <span style=""> </span>The storm group isn’t going anywhere as far as I can tell.</p><p class="MsoNormal">Jeremy over at sudosecure.net has posted some more info <a href="http://www.sudosecure.net/archives/61">here.</a><br /></p><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/anpNhEzxvpg" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/anpNhEzxvpg/new-storm-moving-in-presumably-for.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/05/new-storm-moving-in-presumably-for.htmltag:blogger.com,1999:blog-166393339978616430.post-3682214757289483860Tue, 26 Feb 2008 04:21:00 +00002008-02-25T22:26:56.187-06:00* name: postcard.gif.exe<br />* size: 878374<br />* md5.: 63e8fe1363431d2e56f38141a35278d3<br /><br /><br /><br /><blockquote>AntiVir 7.6.0.67/20080225 found [HIDDENEXT/Worm.Gen]<br />Authentium 4.93.8/20080226 found [could be infected with an unknown virus]<br />Avast 4.7.1098.0/20080225 found [IRC:Zapchast-D]<br />AVG 7.5.0.516/20080226 found [IRC/BackDoor.Flood]<br />BitDefender 7.2/20080226 found [Backdoor.Zapchast.Z]<br />ClamAV 0.92.1/20080226 found [Trojan.IRCBot-96]<br />DrWeb 4.44.0.09170/20080225 found [Win32.Parite.2]<br />eSafe 7.0.15.0/20080226 found [Win32.IRC.Zapchast]<br />Ewido 4.0/20080225 found [Backdoor.Zapchast.z]<br />F-Prot 4.4.2.54/20080225 found [W32/Heuristic-300!Eldorado]<br />F-Secure 6.70.13260.0/20080226 found [Backdoor.IRC.Zapchast]<br />Fortinet 3.14.0.0/20080225 found [REG/Zapchast.4D53!tr.bdr]<br />Ikarus T3.1.1.20/20080226 found [Backdoor.IRC.Zapchast]<br />Kaspersky 7.0.0.125/20080226 found [Backdoor.IRC.Zapchast]<br />McAfee 5237/20080225 found [IRC/Generic Flooder]<br />Microsoft 1.3204/20080226 found [Backdoor:IRC/Zapchast.AN]<br />NOD32v2 2901/20080225 found [IRC/Zapchast.Z]<br />Norman 5.80.02/20080225 found [Pinfi.A.dropper]<br />Rising 20.33.02.00/20080225 found [Win32.Parite.b]<br />Sophos 4.27.0/20080226 found [Mal/Zapchas-C]<br />Sunbelt 3.0.893.0/20080223 found [Trojan.Zapchas.F]<br />Symantec 10/20080226 found [IRC Trojan]<br />TheHacker 6.2.9.229/20080225 found [Adware/2Search]<br />VBA32 3.12.6.2/20080226 found [Trojan.IRC.Zapchast.H]<br />VirusBuster 4.3.26:9/20080225 found [IRC.Zapchast.AQ]<br />Webwasher-Gateway 6.6.2/20080225 found [Virus.HIDDENEXT/Worm.Gen]<br /></blockquote><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/u9giRlNuFhw" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/u9giRlNuFhw/postcardgifexe-63e8fe1363431d2e56f38141.htmlnoreply@blogger.com (UploadMalware.com)1http://uploadmalware.blogspot.com/2008/02/postcardgifexe-63e8fe1363431d2e56f38141.htmltag:blogger.com,1999:blog-166393339978616430.post-4562232733401563627Tue, 26 Feb 2008 04:06:00 +00002008-02-25T22:11:23.564-06:00malwaresubmitted<pre wrap="">* name: ekvgsnw.dll<br />* size: 84451<br />* md5.: 39bfebf001bfdd44830076e378958c4a<br /><br /><br /><blockquote><a href="http://www.free-av.com/">AntiVir</a> 7.6.0.67/20080225 found [ADSPY/AdSpy.Gen]<br /><a href="http://free.grisoft.com/">AVG</a> 7.5.0.516/20080226 found [Downloader.Zlob.SE]<br /><a href="http://www.microsoft.com/athome/security/spyware/software/default.mspx">Microsoft</a> 1.3204/20080226 found [Adware:Win32/Vapsup]<br /><a href="http://www.prevx.com/">Prevx1</a> V2/20080226 found [KAVKOP:Trojan-A]<br /><a href="http://www.sophos.com/">Sophos</a> 4.27.0/20080226 found [Mal/Zlob-I]<br /><a href="http://www.securecomputing.com/">Webwasher-Gateway</a> 6.6.2/20080225 found [Ad-Spyware.AdSpy.Gen]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/mgCXFlHfyLw" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/mgCXFlHfyLw/ekvgsnwdll-39bfebf001bfdd44830076e37895.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/ekvgsnwdll-39bfebf001bfdd44830076e37895.htmltag:blogger.com,1999:blog-166393339978616430.post-2602517590587009789Tue, 26 Feb 2008 04:01:00 +00002008-02-25T22:05:17.541-06:00malwaresubmitted* name: dgtxrdfrmw.dll<br />* size: 108190<br />* md5.: 9432a1b6b11bf5247291e68763b25938<br /><br /><br /><blockquote><a href="http://free.grisoft.com">AVG</a> 7.5.0.516/20080226 found [Downloader.Zlob.AAQ]<br /><a href="http://www.microsoft.com/athome/security/spyware/software/default.mspx">Microsoft</a> 1.3204/20080226 found [Trojan:Win32/Zlob.ZWY]<br /><a href="http://www.prevx.com/">Prevx1</a> V2/20080226 found [Downloader.Zlob]<br /><a href="http://www.anti-virus.by/en/">VBA32</a> 3.12.6.2/20080226 found [suspected of Downloader.Zlob.8]</blockquote><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/6gBaJlaeswI" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/6gBaJlaeswI/dgtxrdfrmwdll-9432a1b6b11bf5247291e6876.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/dgtxrdfrmwdll-9432a1b6b11bf5247291e6876.htmltag:blogger.com,1999:blog-166393339978616430.post-6767985141749678575Tue, 26 Feb 2008 03:55:00 +00002008-02-25T22:00:02.815-06:00malwaresubmitted* name: bxlrvps.dll<br />* size: 108451<br />* md5.: 8120d45ce090c65fd864ac8f48cf87cf<br /><blockquote><br /><a href="http://www.free-av.com/">AntiVir</a> 7.6.0.67/20080225 found [ADSPY/Agent.PB]<br /><a href="http://www.avast.com/">Avast </a> 4.7.1098.0/20080225 found [Win32:Agent-LTS]<br /><a href="http://free.grisoft.com/">AVG</a> 7.5.0.516/20080226 found [Downloader.Zlob.AAS]<br /><a href="http://www.prevx.com/">Prevx1</a> V2/20080226 found [Generic.Malware]<br /><a href="http://www.anti-virus.by/en/">VBA32</a> 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]<br /><a href="http://www.securecomputing.com">Webwasher-Gateway</a> 6.6.2/20080225 found [Ad-Spyware.Agent.PB]<br /></blockquote><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/38dHbKpr3Dg" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/38dHbKpr3Dg/bxlrvpsdll-8120d45ce090c65fd864ac8f48cf.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/bxlrvpsdll-8120d45ce090c65fd864ac8f48cf.htmltag:blogger.com,1999:blog-166393339978616430.post-4341049272424829414Tue, 26 Feb 2008 03:48:00 +00002008-02-25T21:53:49.513-06:00malwaresubmitted* name: alofkmn.dll<br />* size: 86422<br />* md5.: 0e962ef1d4eb86162cd02b72c4689d86<br /><br /><br /><blockquote><a href="http://free.grisoft.com/">AVG </a> 7.5.0.516/20080226 found [Downloader.Zlob.AAM]<br /><a href="http://www.f-prot.com/">F-Prot</a> 4.4.2.54/20080225 found [W32/FakeAlert.E.gen!Eldorado]<br /><a href="http://www.ikarus.at/">Ikarus</a> T3.1.1.20/20080226 found [Virus.Win32.Agent.LTS]<br /><a href="http://www.prevx.com/">Prevx1</a> V2/20080226 found [Downloader.Zlob]<br /><a href="http://www.anti-virus.by/en/">VBA32</a> 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]</blockquote><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/JX0thSs_kqU" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/JX0thSs_kqU/alofkmndll-0e962ef1d4eb86162cd02b72c468.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/alofkmndll-0e962ef1d4eb86162cd02b72c468.htmltag:blogger.com,1999:blog-166393339978616430.post-964704816602318777Tue, 26 Feb 2008 03:37:00 +00002008-02-25T21:45:37.961-06:00malwaresubmitted<pre wrap="">* name: AlrtDrv.dll<br />* size: 14326<br />* md5.: 24326ce4cd6569dbc965c318c4c49d61<br /><br /><blockquote><a href="http://www.free-av.com/">AntiVir</a> 7.6.0.67/20080225 found [TR/Crypt.XPACK.Gen]<br /><a href="http://www.ikarus.at/">Ikarus</a> T3.1.1.20/20080226 found [BehavesLikeTrojan.ShellObject]<br /><a href="http://www.kaspersky.com/">Kaspersky</a> 7.0.0.125/20080226 found [Heur.Trojan.Generic]<br /><a href="http://www.norman.com/">Norman</a> 5.80.02/20080225 found [W32/Smalltroj.CWNE]<br /><a href="http://www.prevx.com/">Prevx1</a> V2/20080226 found [Downloader.Zlob]<br /><a href="http://www.securecomputing.com">Webwasher-Gateway</a> 6.6.2/20080225 found [Trojan.Crypt.XPACK.Gen]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/haExTwGPFxA" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/haExTwGPFxA/alrtdrvdll-24326ce4cd6569dbc965c318c4c4.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/alrtdrvdll-24326ce4cd6569dbc965c318c4c4.htmltag:blogger.com,1999:blog-166393339978616430.post-3669915781133507653Tue, 26 Feb 2008 03:30:00 +00002008-02-25T21:32:03.892-06:00malwaresubmitted<pre wrap="">* name: JavaCore.exe<br />* size: 79801<br />* md5.: 780913add22a55b787f3eb9934e8207f<br /><br /><blockquote>BitDefender 7.2/20080225 found [Adware.JCore.A]<br />DrWeb 4.44.0.09170/20080224 found [Trojan.Insider.origin]<br />Fortinet 3.14.0.0/20080224 found [Adware/Insider]<br />Kaspersky 7.0.0.125/20080225 found [not-a-virus:AdWare.Win32.Insider.b]<br />Prevx1 V2/20080225 found [Generic.Malware]<br />TheHacker 6.2.9.228/20080223 found [Adware/Insider.b]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/Q3-WB7SKn4s" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/Q3-WB7SKn4s/javacoreexe.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/javacoreexe.htmltag:blogger.com,1999:blog-166393339978616430.post-1840340013562118495Tue, 26 Feb 2008 03:23:00 +00002008-02-25T21:29:54.859-06:00malwaresubmitted<pre wrap="">* name: iqykxi.exe<br />* size: 183063<br />* md5.: ee3a48d89399e3ad6b1576a28db4d30d<br /><br /><br /><br /><blockquote>AVG 7.5.0.516/20080226 found [SHeur.ATOO]<br />eSafe 7.0.15.0/20080221 found [Suspicious File]<br />F-Secure 6.70.13260.0/20080225 found [Backdoor.Win32.IRCBot.bol]<br />Fortinet 3.14.0.0/20080225 found [W32/IRCBot.BOL!tr.bdr]<br />Kaspersky 7.0.0.125/20080226 found [Backdoor.Win32.IRCBot.bol]<br />Microsoft 1.3204/20080226 found [Backdoor:Win32/Oderoor.gen!B]<br />NOD32v2 2901/20080225 found [Win32/Agent.NHE]<br />Panda 9.0.0.4/20080225 found [W32/MSNPhoto.AB.worm]<br />Prevx1 V2/20080226 found [SHeur.ATOO]<br />Webwasher-Gateway 6.6.2/20080225 found [Win32.Malware.gen (suspicious)]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/T0-kW2zozVg" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/T0-kW2zozVg/iqykxiexe-ee3a48d89399e3ad6b1576a28db4d.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/iqykxiexe-ee3a48d89399e3ad6b1576a28db4d.htmltag:blogger.com,1999:blog-166393339978616430.post-5281679978182851119Tue, 26 Feb 2008 03:19:00 +00002008-02-25T21:22:56.685-06:00malwaresubmitted<pre wrap="">* name: antivir.exe<br />* size: 42358<br />* md5.: 448ea9863debe13966a7f809e7f8f8ff<br /><blockquote><br />AntiVir 7.6.0.67/20080218 found [TR/Crypt.XPACK.Gen]<br />BitDefender 7.2/20080218 found [Trojan.Spy.ZBot.V]<br />eSafe 7.0.15.0/20080217 found [Suspicious File]<br />Sophos 4.26.0/20080218 found [Sus/Behav-192]<br />Webwasher-Gateway 6.6.2/20080218 found [Trojan.Crypt.XPACK.Gen]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/vgNTJIMIUcc" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/vgNTJIMIUcc/antivirexe-448ea9863debe13966a7f809e7f8.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/antivirexe-448ea9863debe13966a7f809e7f8.htmltag:blogger.com,1999:blog-166393339978616430.post-4723276436310482158Mon, 18 Feb 2008 02:07:00 +00002008-02-17T22:14:52.799-06:00roguemalwaresubmitted<pre wrap="">Earlier today we received these 4 files from a user at <a href="http://www.bleepingcomputer.com/">BleepingComputer.com</a><br />The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.<br /><br />The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.<br /><br />After running for about 15 minutes I finally started to get the balloon tips:<br /></pre><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7j1GE5PlrI/AAAAAAAAABQ/kJP2MiB06mQ/s1600-h/wlkingman3b.png"><img style="cursor: pointer;" src="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7j1GE5PlrI/AAAAAAAAABQ/kJP2MiB06mQ/s320/wlkingman3b.png" alt="" id="BLOGGER_PHOTO_ID_5168150057149503154" border="0" /></a><br /></div><pre wrap=""> Even some pretty error messages:<br /><br /></pre><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7j1Xk5PlsI/AAAAAAAAABY/0zkGXag2548/s1600-h/wlkingman3.png"><img style="cursor: pointer;" src="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7j1Xk5PlsI/AAAAAAAAABY/0zkGXag2548/s320/wlkingman3.png" alt="" id="BLOGGER_PHOTO_ID_5168150357797213890" border="0" /></a><br /></div><pre wrap=""><br />And of course I can't forget my pretty new desktop background:<br /></pre><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7jzk05PlqI/AAAAAAAAABI/OUsVvEguBmk/s1600-h/wlkingman.png"><img style="cursor: pointer;" src="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7jzk05PlqI/AAAAAAAAABI/OUsVvEguBmk/s320/wlkingman.png" alt="" id="BLOGGER_PHOTO_ID_5168148386407224994" border="0" /></a><br /></div><pre wrap="">Oh yeah and a popup for advanced cleaner:<br /></pre><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_6YaiYD4nLk4/R7j_yU5PltI/AAAAAAAAABg/xFOTly2DTgo/s1600-h/wlkingman4.png"><img style="cursor: pointer;" src="http://3.bp.blogspot.com/_6YaiYD4nLk4/R7j_yU5PltI/AAAAAAAAABg/xFOTly2DTgo/s320/wlkingman4.png" alt="" id="BLOGGER_PHOTO_ID_5168161812474992338" border="0" /></a><br /></div><pre wrap="">Hijack This entries associated with these:<br /><br /><blockquote>O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"<br />O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"<br />O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"<br />O4 - HKLM\..\Run: [SMSERIALWORKERSTARTER] "C:\WINDOWS\winstrse.exe"</blockquote>Virustotal Scans:<br /><blockquote>* name: winstrse.exe<br />* size: 13899<br />* md5.: ed5db9136e502a87bdc20f36c787a977<br /><br /><br />Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]</blockquote><br /><br /><blockquote>* name: comsysobj.exe<br />* size: 13477<br />* md5.: 17195c2104aee64b598aa815332bb6a4<br /><br /><br />Panda 9.0.0.4/20080217 found [Adware/SpyBurner]<br />Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]<br /></blockquote><br /><blockquote>* name: shellexcon.exe<br />* size: 15479<br />* md5.: 3fe0e32201f34616edb7447e976df470<br /><br />AntiVir 7.6.0.67/20080215 found [HEUR/Malware]<br />Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]</blockquote><br /><br /><br /><blockquote>* name: win32st.exe<br />* size: 36864 bytes<br />* md5.: 7dfb42300357f7b50ba763497e6c41c7<br /><br />AntiVir 7.6.0.67/20080215 found [HEUR/Malware]<br />Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]</blockquote></pre><div style="text-align: center;"><br /></div><pre wrap=""><br />The files had the following URL's in the strings:<br /><br /><blockquote>http: //theonlybookmark.com/in.cgi<br />http: //safe-strip-download.com/soft/in.cgi</blockquote><br /><br /><br />Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:<br /><blockquote>http: //systemerrorfixer.com/clean/?cmpname=swpges31&amp;eai=<br />swp_ges&amp;eli=3948&amp;eaf=pp_1685211491&amp;eu=http%3A%2F%2F advancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3 Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&amp;ed=0&amp;ex=0&amp;h=10&amp;cmpname=null&amp;mt_info= 4141_0_1556</blockquote> and to<blockquote>https ://www.anonymouschannel.com/home?pin=anzf3e</blockquote><br />Which appears to be a fake Virtual Private Network manager.<br /><br />Thanks to WlkingMan for submitting these files.<br /><br /><br />Surf Safe,<br />Dave<br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/7dLA_M835TE" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/7dLA_M835TE/safe-strip-related-submissions.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/safe-strip-related-submissions.htmltag:blogger.com,1999:blog-166393339978616430.post-7966337969085957328Sun, 17 Feb 2008 05:09:00 +00002008-02-16T23:11:19.317-06:00malwaresubmitted<pre wrap="">* name: svchost.exe-submit.zip<br />* size: 15783<br />* md5.: 9e3c13b6556d5636b745d3e466d47467<br /><br /><br /><blockquote>AntiVir 7.6.0.67/20080215 found [W32/Hidrag.a]<br />Authentium 4.93.8/20080215 found [W32/Jeefo.A]<br />Avast 4.7.1098.0/20080215 found [Win32:Jeefo]<br />AVG 7.5.0.516/20080216 found [Win32/Hidrag.A]<br />BitDefender 7.2/20080216 found [Win32.Jeefo.A]<br />CAT-QuickHeal None/20080216 found [W32.Jeefo.A]<br />ClamAV 0.92.1/20080216 found [W32.Jeefo-3]<br />DrWeb 4.44.0.09170/20080216 found [Win32.HLLP.Jeefo.36352]<br />eSafe 7.0.15.0/20080214 found [Win32.Hidrag.a]<br />eTrust-Vet 31.3.5541/20080215 found [Win32/Jeefo.A]<br />Ewido 4.0/20080216 found [Worm.VB.dz]<br />F-Prot 4.4.2.54/20080215 found [W32/Jeefo.A]<br />F-Secure 6.70.13260.0/20080215 found [Virus.Win32.Hidrag.a]<br />Fortinet 3.14.0.0/20080216 found [W32/Jeefo.A]<br />Ikarus T3.1.1.20/20080216 found [Win32.Hidrag]<br />Kaspersky 7.0.0.125/20080216 found [Virus.Win32.Hidrag.a]<br />McAfee 5231/20080215 found [W32/Jeefo]<br />Microsoft 1.3204/20080216 found [Virus:Win32/Jeefo.A]<br />NOD32v2 2880/20080215 found [Win32/Jeefo.A]<br />Norman 5.80.02/20080215 found [W32/Hidrag.A]<br />Panda 9.0.0.4/20080216 found [W32/Jeefo.A.drp]<br />Prevx1 V2/20080216 found [Generic.Malware]<br />Rising 20.31.50.00/20080216 found [Win32.Hidrag]<br />Sophos 4.26.0/20080216 found [W32/Jeefo-A]<br />Sunbelt 2.2.907.0/20080216 found [Jeefo (v)]<br />Symantec 10/20080216 found [W32.Jeefo]<br />TheHacker 6.2.9.221/20080215 found [W32/Jeefo.gen]<br />VBA32 3.12.6.1/20080214 found [Win32.HLLP.Jeefo]<br />VirusBuster 4.3.26:9/20080215 found [Win32.Hidrag]<br />Webwasher-Gateway 6.6.2/20080215 found [Win32.Hidrag.a]<br /></blockquote><br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/90dUSLl23e0" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/90dUSLl23e0/svchostexe-9e3c13b6556d5636b745d3e466d4.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/svchostexe-9e3c13b6556d5636b745d3e466d4.htmltag:blogger.com,1999:blog-166393339978616430.post-4783010341958977295Sun, 17 Feb 2008 04:54:00 +00002008-02-16T22:59:34.049-06:00<pre wrap="">* name: Ma72Pan.exe-submit.zip<br />* size: 84508<br />* md5.: 9b6a68204fa80c20d39ebd0da0024085<br /><br /><br /><blockquote>Ikarus T3.1.1.20/20080217 found [Backdoor.Win32.Rbot.c]</blockquote><br /><br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/rGUX_GI15WI" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/rGUX_GI15WI/ma72panexe-9b6a68204fa80c20d39ebd0da002.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/ma72panexe-9b6a68204fa80c20d39ebd0da002.htmltag:blogger.com,1999:blog-166393339978616430.post-3951408480574349608Thu, 14 Feb 2008 15:17:00 +00002008-02-14T09:20:20.488-06:00<pre wrap=""><br />* name: rjmtjp.exe<br />* size: 11910<br />* md5.: d54d475125f7f6aa48d42f3f1122193a<br /><blockquote><br />AVG 7.5.0.516/20080213 found [BackDoor.RBot.BI]<br />BitDefender 7.2/20080214 found [Backdoor.Irc.Sdbot.KC]<br />DrWeb 4.44.0.09170/20080213 found [BackDoor.IRC.Sdbot.945]<br />eSafe 7.0.15.0/20080213 found [Suspicious File]<br />F-Secure 6.70.13260.0/20080214 found [W32/Ircbot.dam]<br />Norman 5.80.02/20080213 found [W32/Ircbot.dam]<br />Panda 9.0.0.4/20080214 found [W32/Poebot.MW.worm]<br />Prevx1 V2/20080214 found [Worm.Ircbot.Gen]<br />Symantec 10/20080214 found [W32.IRCBot.Gen]<br />Webwasher-Gateway 6.6.2/20080214 found [Win32.Malware.dam (suspicious)]<br /><br />packers: PE_Patch<br />Prevx info: <a class="moz-txt-link-freetext" href="http://info.prevx.com/aboutprogramtext.asp?PX5=AFC4ACC53825F0C930750061744E5E003D313D9A">http://info.prevx.com/aboutprogramtext.asp?PX5=AFC4ACC53825F0C930750061744E5E003D313D9A</a></blockquote><a class="moz-txt-link-freetext" href="http://info.prevx.com/aboutprogramtext.asp?PX5=AFC4ACC53825F0C930750061744E5E003D313D9A"></a></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/_Caib4Z3bhg" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/_Caib4Z3bhg/rjmtjpexe-d54d475125f7f6aa48d42f3f11221.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/rjmtjpexe-d54d475125f7f6aa48d42f3f11221.htmltag:blogger.com,1999:blog-166393339978616430.post-2149463294423189617Wed, 13 Feb 2008 15:56:00 +00002008-02-13T21:23:29.166-06:00malwaresubmitted<pre wrap=""><br />* name: Setup.exe<br />* size: 58794<br />* md5.: dd13a676ffee2688d9046c3084362feb<br /><blockquote><br />AntiVir 7.6.0.65/20080213 found [WORM/P2P.Kapucen.Gen]<br />Authentium 4.93.8/20080213 found [W32/Kapucen.gen1@p2p]<br />Avast 4.7.1098.0/20080213 found [Win32:Kapucen]<br />AVG 7.5.0.516/20080213 found [Win32/Puce.C]<br />BitDefender 7.2/20080213 found [Win32.Worm.P2P.Puce.G]<br />CAT-QuickHeal None/20080213 found [I-Worm.Kapucen.b]<br />ClamAV 0.92/20080213 found [Worm.Puce.E]<br />DrWeb 4.44.0.09170/20080213 found [Win32.HLLW.Puce]<br />eTrust-Vet 31.3.5532/20080212 found [Win32/Puce.D]<br />F-Prot 4.4.2.54/20080212 found [W32/Kapucen.gen1@p2p]<br />F-Secure 6.70.13260.0/20080213 found [P2P-Worm.Win32.Kapucen.b]<br />Fortinet 3.14.0.0/20080213 found [W32/Kapucen.B!worm.p2p]<br />Ikarus T3.1.1.20/20080213 found [P2P-Worm.Win32.Kapucen.b]<br />Kaspersky 7.0.0.125/20080213 found [P2P-Worm.Win32.Kapucen.b]<br />McAfee 5228/20080212 found [W32/Puce]<br />Microsoft 1.3204/20080213 found [Worm:Win32/Puce.Y]<br />NOD32v2 2872/20080213 found [Win32/Kapucen.B]<br />Norman 5.80.02/20080212 found [Kapucen.A]<br />Panda 9.0.0.4/20080213 found [W32/Puce.E.worm]<br />Prevx1 V2/20080213 found [TROJAN.MUDROP.DU]<br />Sophos 4.26.0/20080213 found [W32/Puce-H]<br />Symantec 10/20080213 found [W32.Ecup]<br />VirusBuster 4.3.26:9/20080213 found [Worm.Kapucen.A]<br />Webwasher-Gateway 6.6.2/20080213 found [Worm.P2P.Kapucen.Gen]</blockquote></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/csVjwrpnEiM" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/csVjwrpnEiM/setupexe-dd13a676ffee2688d9046c3084362f.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/setupexe-dd13a676ffee2688d9046c3084362f.htmltag:blogger.com,1999:blog-166393339978616430.post-3728256379027600851Tue, 12 Feb 2008 13:23:00 +00002008-02-12T07:28:17.934-06:00malwaresubmitted<pre wrap=""><blockquote>* submitter: Milkdad<br />* name: AcroIEHelper.dll<br />* size: 227894<br />* md5.: 32929bace82a07c26c1d3877176cb2a9<br /><br /><br />AntiVir 7.6.0.62/20080212 found [TR/Dldr.Delf.eqb.1]<br />AVG 7.5.0.516/20080211 found [Downloader.Generic6.AICW]<br />BitDefender 7.2/20080212 found [Trojan.Downloader.Codec.E]<br />CAT-QuickHeal None/20080211 found [TrojanDownloader.Delf.eqb]<br />F-Prot 4.4.2.54/20080211 found [W32/Banload.E.gen!Eldorado]<br />F-Secure 6.70.13260.0/20080212 found [Trojan-Downloader.Win32.Delf.eqb]<br />Fortinet 3.14.0.0/20080212 found [W32/Delf.EQB!tr.dldr]<br />Ikarus T3.1.1.20/20080212 found [Trojan-Downloader.Delf.OGX]<br />Kaspersky 7.0.0.125/20080212 found [Trojan-Downloader.Win32.Delf.eqb]<br />Microsoft 1.3204/20080211 found [Trojan:Win32/Delflob.I]<br />Prevx1 V2/20080212 found [Generic.Malware]<br />Webwasher-Gateway 6.6.2/20080212 found [Trojan.Dldr.Delf.eqb.1]<br /><br />packers: ASPack</blockquote>Av's that added because of your submission:<br /><br />Avira: <span>TR/Dldr.Delf.eqb.1</span></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/uaZh5udGAfM" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/uaZh5udGAfM/acroiehelperdll-32929bace82a07c26c1d387.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/acroiehelperdll-32929bace82a07c26c1d387.htmltag:blogger.com,1999:blog-166393339978616430.post-1261525220147635907Tue, 12 Feb 2008 03:12:00 +00002008-02-12T07:03:27.577-06:00malwarearbor networksstormbotsThe new wave of storm is flowing just in time for Valentines. At the time of this post I've only recieved 3 emails for it and I imagine a lot more to come.<br /><br />The first with the subject "Phone Love" and a body that simply contained the following:<blockquote> Love Machine http:// 24.131.212.16/</blockquote><br />I of course went to the page to get the newest version and this was the image I found <br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_6YaiYD4nLk4/R7ERaE5PljI/AAAAAAAAAAQ/_IkhkzSFJFQ/s1600-h/storm-val3.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://3.bp.blogspot.com/_6YaiYD4nLk4/R7ERaE5PljI/AAAAAAAAAAQ/_IkhkzSFJFQ/s320/storm-val3.gif" alt="" id="BLOGGER_PHOTO_ID_5165929387258779186" border="0" /></a><br /><br /><br /><br /><div style="text-align: left;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><div style="text-align: left;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7EUOk5PlkI/AAAAAAAAAAY/BaRhZOKsMKk/s1600-h/storm-val2.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7EUOk5PlkI/AAAAAAAAAAY/BaRhZOKsMKk/s320/storm-val2.gif" alt="" id="BLOGGER_PHOTO_ID_5165932488225166914" border="0" /></a></div> Onto the next one I received:<br />Subject: Valentine Invitation<br />Body: <div style="text-align: left;"><blockquote>Happy Valentine's Day! http:// 200.75.106.166 </blockquote><br /><---And yet another pretty pic Now for the third: <div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7EVBU5PllI/AAAAAAAAAAg/AleQW_L_eME/s1600-h/storm-val.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7EVBU5PllI/AAAAAAAAAAg/AleQW_L_eME/s320/storm-val.gif" alt="" id="BLOGGER_PHOTO_ID_5165933360103528018" border="0" /></a><br /><div style="text-align: left;">Subject: Be My Valentine<br />Body: <blockquote>Valentine Friends http:// 59.92.53.16/</blockquote><br />Ahh another pretty pic, reminds me a elementary school.<br /><br /><br /><br /><br /><br /><div style="text-align: left;"><br />The ones thing all of the files have in common is no detection at the time of the post!<br />Be very careful opening any valentines emails that you receive they could be more trouble than you ever wanted.<br /><br />http:// 24.131.212.16/ - valentine.exe MD5: d1789d5bbc74bcf4def368f9b9db303e<br />http:// 200.75.106.166/ - valentine.exe MD5: 8ef7be6c05aca940b1e9cf677d471a41<br />http:// 59.92.53.16/ - valentine.exe MD5: 74ca598169f8fdee49d04e22c8ac7514<br /><br />While I was writing this I received another one but it seems to be dead already. Here is the info from it.<br /><br />Subject: You're Super Sweet<br />Body: <blockquote>Love Rose http:// 203.128.211.219/ </blockquote><br />I've stayed away from the technical details here at least for now. Our friends over at asert.arbornetworks.com have posted some details check it out at:<br /><a href="http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/">http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/</a><br /><br />Edit:<br /><br />Here's some more if the images:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7GXmk5PlmI/AAAAAAAAAAo/bfGaHUwA6N4/s1600-h/storm-val4.gif"><img style="cursor: pointer;" src="http://1.bp.blogspot.com/_6YaiYD4nLk4/R7GXmk5PlmI/AAAAAAAAAAo/bfGaHUwA6N4/s320/storm-val4.gif" alt="" id="BLOGGER_PHOTO_ID_5166076936565266018" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7GX305PlnI/AAAAAAAAAAw/Q21WTtRCRSA/s1600-h/storm-val6.gif"><img style="cursor: pointer;" src="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7GX305PlnI/AAAAAAAAAAw/Q21WTtRCRSA/s320/storm-val6.gif" alt="" id="BLOGGER_PHOTO_ID_5166077232918009458" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7GYD05PloI/AAAAAAAAAA4/L0OVHeuCC8U/s1600-h/storm-val9.gif"><img style="cursor: pointer;" src="http://2.bp.blogspot.com/_6YaiYD4nLk4/R7GYD05PloI/AAAAAAAAAA4/L0OVHeuCC8U/s320/storm-val9.gif" alt="" id="BLOGGER_PHOTO_ID_5166077439076439682" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7GYKU5PlpI/AAAAAAAAABA/yPF48g3kPtg/s1600-h/storm-val11.gif"><img style="cursor: pointer;" src="http://4.bp.blogspot.com/_6YaiYD4nLk4/R7GYKU5PlpI/AAAAAAAAABA/yPF48g3kPtg/s320/storm-val11.gif" alt="" id="BLOGGER_PHOTO_ID_5166077550745589394" border="0" /></a><br />More subject lines and bodies:<br /><br /><blockquote>Just you: Rockin' Valentine http:// 71.156.93.100/<br />Rockin' Valentine: My Love http:// 65.34.217.24/<br />Rockin' Valentine: Powerful Love http:// 58.63.155.16/<br />My Heart: World Love http:// 76.68.144.52/ </blockquote><br /><br />Safe surfing!<br />Uploadmalware.com<br /><br /></div></div></div></div></div></div><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/skvp9ua2NYk" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/skvp9ua2NYk/and-so-it-begins.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/and-so-it-begins.htmltag:blogger.com,1999:blog-166393339978616430.post-4851185121591932729Tue, 12 Feb 2008 03:02:00 +00002008-02-11T21:07:39.119-06:00malwareasertarbor networksbots<pre wrap=""><br /><blockquote><br />* name: video.exe<br />* size: 91831<br />* md5.: 9f36a92add503d6c08a97d5dc0d5eb8c<br /><br /><br />AntiVir 7.6.0.62/20080208 found [TR/Dropper.Gen]<br />eSafe 7.0.15.0/20080128 found [suspicious Trojan/Worm]<br />Ikarus T3.1.1.20/20080210 found [Trojan-Spy.Win32.Banker.caw]<br />Panda 9.0.0.4/20080209 found [Suspicious file]<br />VBA32 3.12.6.0/20080209 found [suspected of Trojan-IM.VB.1 (paranoid heuristics)]<br />Webwasher-Gateway 6.6.2/20080209 found [Trojan.Dropper.Gen]<br /><br /><br />packers: UPX_LZMA</blockquote>AV's that added because of your submission:<br /><br />Trojan-Downloader.Win32.Banload.hjl<br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/kT78fS-uDHY" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/kT78fS-uDHY/videoexe-9f36a92add503d6c08a97d5dc0d5eb.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/videoexe-9f36a92add503d6c08a97d5dc0d5eb.htmltag:blogger.com,1999:blog-166393339978616430.post-2255672847951340325Tue, 12 Feb 2008 02:00:00 +00002008-02-11T20:19:26.578-06:00malwaresubmitted<pre wrap=""><br /><blockquote>* name: album_leticia.exe<br />* size: 14794<br />* md5.: 532c3c5674bb03464d4d990c291d8a14<br /><br /><br />ClamAV 0.92/20080210 found [Trojan.Downloader-13210]<br />Rising 20.29.22.00/20080130 found [Trojan.DL.Win32.Agent.ejs]<br />Webwasher-Gateway 6.6.2/20080210 found [Virus.Win32.FileInfector.gen!90 (suspicious)]</blockquote><br /><br />AV's that added based on your submission:<br /><br />Avira Lab: <span>TR/Dldr.Agent.iwf</span><br />Kaspersky: Trojan-Downloader.Win32.Agent.iwf<br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/XvwsDU0B99c" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/XvwsDU0B99c/albumleticiaexe-532c3c5674bb03464d4d990.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2008/02/albumleticiaexe-532c3c5674bb03464d4d990.htmltag:blogger.com,1999:blog-166393339978616430.post-430714518456561881Tue, 12 Feb 2008 01:45:00 +00002008-02-11T20:19:58.436-06:00malwaresubmitted<pre wrap=""><br />* name: elxxfghg.dll<br />* size: 80084 bytes<br />* md5.: 227f6af6fb4ae8063b5f7348fd9694ee<br /><br /><br /><blockquote>AntiVir 7.6.0.62/20080210 found [TR/Dldr.ConHook.Gen]<br />Avast 4.7.1098.0/20080210 found [Win32:TratBHO]<br />AVG 7.5.0.516/20080210 found [Lop]<br />BitDefender 7.2/20080210 found [Trojan.Vundo.DYM]<br />DrWeb 4.44.0.09170/20080210 found [Trojan.Virtumod.272]<br />eTrust-Vet 31.3.5522/20080208 found [Win32/Vundo.MO]<br />F-Prot 4.4.2.54/20080210 found [W32/Virtumonde.G.gen!Eldorado]<br />Ikarus T3.1.1.20/20080210 found [not-a-virus:AdWare.Win32.Virtumonde]<br />Kaspersky 7.0.0.125/20080210 found [not-a-virus:AdWare.Win32.Virtumonde.gen]<br />Microsoft 1.3204/20080210 found [Trojan:Win32/Vundo.gen!A]<br />Norman 5.80.02/20080208 found [W32/Virtumonde.KYQ]<br />Panda 9.0.0.4/20080210 found [Suspicious file]<br />Sophos 4.26.0/20080210 found [Troj/Virtum-Gen]<br />Symantec 10/20080210 found [Trojan.Adclicker]<br />TheHacker 6.2.9.215/20080209 found [Adware/Virtumonde.gen]<br />VirusBuster 4.3.26:9/20080210 found [Adware.Vundo.V.Gen]<br />Webwasher-Gateway 6.6.2/20080210 found [Trojan.Dldr.ConHook.Gen]</blockquote><br /><br /><br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/_2TlxspQjs0" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/_2TlxspQjs0/elxxfghgdll-227f6af6fb4ae8063b5f7348fd9.htmlnoreply@blogger.com (UploadMalware.com)http://uploadmalware.blogspot.com/2008/02/elxxfghgdll-227f6af6fb4ae8063b5f7348fd9.htmltag:blogger.com,1999:blog-166393339978616430.post-998126536543068874Tue, 12 Feb 2008 01:38:00 +00002008-02-12T09:54:48.955-06:00malwaresubmitted<pre wrap="">* size: 2759 bytes<br />* md5.: ead7b53b7a67d39dfe74ff6fe981d389<br /><blockquote><br />AVG 7.5.0.516/20080211 found [Downloader.Zlob]<br />F-Secure 6.70.13260.0/20080211 found [Trojan-Downloader.Win32.Zlob.hku]<br />Kaspersky 7.0.0.125/20080211 found [Trojan-Downloader.Win32.Zlob.hku]<br />NOD32v2 2865/20080211 found [Win32/TrojanDownloader.Zlob.BPH]<br />Prevx1 V2/20080211 found [Downloader.Zlob]<br />Symantec 10/20080211 found [Trojan.Startpage]<br />VirusBuster 4.3.26:9/20080211 found [Trojan.DL.Zlob.Gen.34]</blockquote><br /><br /><br />Edit 1: Added by Ikarus as Virus.Win32.Zlob.AJV<br />Edit 2: Added by Avira as <span>TR/Dldr.Zlob.hku</span><br />Edit 3: Added by DrWeb as Virus: Trojan.Popuper<br /><br /><br /></pre><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/wW50fDxEySY" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/wW50fDxEySY/sbsmexe-ead7b53b7a67d39dfe74ff6fe981d38.htmlnoreply@blogger.com (UploadMalware.com)http://uploadmalware.blogspot.com/2008/02/sbsmexe-ead7b53b7a67d39dfe74ff6fe981d38.htmltag:blogger.com,1999:blog-166393339978616430.post-5959374792645557593Mon, 09 Jul 2007 00:16:00 +00002007-07-09T15:47:07.433-05:00Yet another new set of Nuwar (storm worm) spam mails are coming out. Be on the look out for emails like the following:<br /><blockquote> Dear Customer,<br /><br />Our robot has detected an abnormal activity from your IP adress<br />on sending e-mails. Probably it is connected with the last epidemic<br />of a worm which does not have official patches at the moment.<br /><br />We recommend you <a href="http://link-removed-for-security/">to install this patch</a> to remove worm files<br />and stop email sending, otherwise your account will be blocked.<br /><br />Customer Support Robot</blockquote><blockquote></blockquote>The downloaded executable is named "patch.exe"<br /><br /><div style="text-align: center;">****URLS BELOW ARE POSTED FOR RESEARCH PURPOSES ONLY VISIT AT YOUR OWN RISK****<br /></div>Worm Detected!<br />Customer Support Center<br />nrp @ eyou.com<br />http:// 74.227.240.152/ ?a3b01bdad81d9b848ca9a8<br /><br />Worm Activity Detected!<br />Customer Support<br />qof @ calgarypolice.ca<br />http:// 66.31.89.82/ ?2989907cd64e28cae3d7703a3b01bdad81d9b<br /><br />Spyware Alert!<br />Customer Support Robot<br />vyjig @ kbhr933.com<br />http:// 203.192.225.72/ ?b161d496d2989907cd64e28cae3d7703a3b01bd<br /><br />Spyware Detected!<br />Customer Support Robot<br />vyjig @ kbhr933.com<br />http:// 76.24.0.216/ ?8ee7c634591933434671c1<br /><br />Trojan Alert!<br />Administrator<br />aupl @ nyc.rr.com<br />http:// 69.177.200.82/ ?1c8a8aa50bb1c20bb5790c08a823e9627257<br /><br />Malware Alert!<br />Customer Support Robot<br />xas @ evercell.com<br />http:// 81.48.51.112/ ?8a823e96272575cbc68911e6c36a4bc9<br /><br />Virus Activity Detected!<br />Mailer-Deamon<br />bij @ fibertel.com.ar<br />http:// 76.83.102.143/ ?8088aea28abd4d55393e4dd7ae5b23933<br /><br />ATTN!<br />Customer Support Center Robot<br />gal @ madbrands.com<br />http:// 66.68.92.35/ ?e7c634591933434671c16a2e59b1283bd17061a<br /><br />Worm Alert!<br />Administrator<br />djn @ lge.com<br />http:// 81.236.145.163/ ?58e47d14c775ed2175ee0c2a4c1c8a8aa50<br /><br /><div style="text-align: center;"><div style="text-align: center;">****URLS ABOVE ARE POSTED FOR RESEARCH PURPOSES ONLY VISIT AT YOUR OWN RISK****<br /></div><div style="text-align: center;"><br /></div></div><div class="blogger-post-footer"><script expr:src='"http://feeds.feedburner.com/~s/UploadmalwarecomsMalwareBlog?i=" + data:post.url' type="text/javascript" charset="utf-8"></script></div><img src="http://feeds.feedburner.com/~r/UploadmalwarecomsMalwareBlog/~4/iJC1YE3U9HI" height="1" width="1"/>http://feedproxy.google.com/~r/UploadmalwarecomsMalwareBlog/~3/iJC1YE3U9HI/new-nuwar.htmlnoreply@blogger.com (UploadMalware.com)0http://uploadmalware.blogspot.com/2007/07/new-nuwar.html