Editer l'article Suivre ce blog Administration + Créer mon blog
24 février 2011 4 24 /02 /février /2011 00:26

Just to say that I received a few hours ago a spam, like in the ancient time :), but not in French this time.


Here is the link that appears within the body of the email:



but in fact, here is the real link:

http://videos .katebowman.com.au/images/youtube/videos/abuso/22/2/2011/video-ex-escriva-de-policia-e-despida-em-delegacia-cai-na-internet.php?0.79795 

Caution! This one is  malicious!


Indeed it will automatically redirect the user to:

http://89. 149.226.195/css/video-ex-escriva-de-policia-e-despida-em-delegacia-cai-na-internet-AVI.exe


About the "subject" of the link, that should be interesting for an user? it is about a police clerk, "naked", makes me remind the "sextape" of a few stars... here is a translation of it:


"Police" and "naked", probably two words that could invite a person to click on the link... 


What about the IP hosting the malware, while accessed through the browsers?

- Opera 11: no warning

- Safari 5.0.3: no warning

- Firefox 3.6.13: no warning 

- IE 9: no warning...!


Okay, that's not really a good start. Browsers embedded security could certainly be more efficient....

Let's see what VT says about the sample: 9 engines out of 43 do detect it... I've seen better detection.

BTW, Nod32 full version (and up to date) does detect it as a variant of Banload.PMI... but Clam In the Cloud does not detect anything, and that surprises me a lil bit.


The sample is being run on ThreatExpert sandbox. I just received the results, they look interesting!



I'll talk about them more in details pretty soon. 



Partager cet article