Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
6 décembre 2011 2 06 /12 /décembre /2011 21:55

 

 

First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...

The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).

msg_Gmail.JPG

 

But when I clicked on it, surprise... The real URL is:

http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.

But this will in fact redirect the user to:

http://87.255.77. 35/fw2.pl

 

Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).

 

Under IE9, here is what happens:

 msg1_IE9_egorest.co.in.jpg

 

 

If I click on Yes, it goes:

scan1_IE9_egorest.co.in.jpg

 

Then...

 

scan2_IE9_egorest.co.in.jpg

 

Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:

 

file_egorest.co.in.JPG

 

 

 IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:

 

msg_file_IE9_egorest.co.in-copie-1.JPG

 

 

 

 KAV 2011 does not detect the sample. Neither does MalwareByte.

 

VirusTotal's results are quite clear! only 2 engines out of 41...!

 

Result
AhnLab-V3 2011.12.06.01 2011.12.06 -
AntiVir 7.11.19.2 2011.12.06 -
Antiy-AVL 2.0.3.7 2011.12.06 -
Avast 6.0.1289.0 2011.12.06 -
AVG 10.0.0.1190 2011.12.06 -
BitDefender 7.2 2011.12.06 -
ByteHero 1.0.0.1 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.06 -
ClamAV 0.97.3.0 2011.12.06 -
Commtouch 5.3.2.6 2011.12.06 -
Comodo 10859 2011.12.06 -
DrWeb 5.0.2.03300 2011.12.06 -
Emsisoft 5.1.0.11 2011.12.06 -
eSafe 7.0.17.0 2011.12.06 -
eTrust-Vet 37.0.9607 2011.12.06 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.06 -
Fortinet 4.3.388.0 2011.12.06  W32/Kryptik.TAF!tr
GData 22 2011.12.06 -
Ikarus T3.1.1.109.0 2011.12.06 -
Jiangmin 13.0.900 2011.12.06 -
K7AntiVirus 9.119.5608 2011.12.06 -
Kaspersky 9.0.0.837 2011.12.06 -
McAfee 5.400.0.1158 2011.12.06 -
McAfee-GW-Edition 2010.1D 2011.12.06 -
Microsoft 1.7903 2011.12.06 -
NOD32 6681 2011.12.04 -
Norman 6.07.13 2011.12.06  W32/Kazy.NA
nProtect 2011-12-06.01 2011.12.06 -
Panda 10.0.3.5 2011.12.06 -
PCTools 8.0.0.5 2011.12.06 -
Prevx 3.0 2011.12.06 -
Rising 23.87.01.02 2011.12.06 -
Sophos 4.71.0 2011.12.06 -
SUPERAntiSpyware 4.40.0.1006 2011.12.06 -
Symantec 20111.2.0.82 2011.12.06 -
TheHacker 6.7.0.1.352 2011.12.01 -
TrendMicro 9.500.0.1008 2011.12.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.06 -
VBA32 3.12.16.4 2011.12.06 -
VIPRE 11212 2011.12.06 -
ViRobot 2011.12.6.4811 2011.12.06 -
VirusBuster 14.1.102.0 2011.12.06 -
MD5: c7fa7ebcb697b26ac684f8b18a0f30b4
SHA1: 98561e513580021bbd2f715e54a53e96558a8a1f
SHA256: bc9264cd51df7815a96c0753cbacbde9f2f491a191b78a06782854abb93171f4
File size: 129536 bytes
Scan date: 2011-12-06 21:48:09 (UTC)

 

 About the file:

 I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.

 

 

file_properties.jpg

 

Update 1:

Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.

This is also what ThreatExpert tels about the file execution history:

http://www.threatexpert.com/report.aspx?md5=c7fa7ebcb697b26ac684f8b18a0f30b4 

Buggy malware?

 

Partager cet article

Repost0

commentaires