13:42 [Fresh malware] story feelsenergy com | |
Consider the latest malware, which is actively promoted by virtually all known methods. Starting from bringing in fake-resource with sploitov, ending the seizure of accounts and send messages with a relatively sound social engineering.SourceToday, many have received messages from my friends on icq about next sozherzhaniya:hello. hxxp: / / feels-energy.com /*****/ - look, a cool thing! Encoded link: aHR0cDovL2ZlZWxzLWVuZXJneS5jb20vMDczNzMv == The link can be found made out a page by uploading a clip. Here and reviewers have downloaded, and the number of downloads, in general, everything that happens normally. He even explicitly states that the video format SCR (screen saver), almost surely indicates the scope, etc. The reference in the context leads to a zip-file size ~ 81Kb. Focused on the Russian-speaking users. ContentsInside the archive is SCR-file size is 100Kb. Icon taken from WMPlayer'a.Development Environment: Borland Delphi 6.0-7.0 (Result PEiD / DiE) Format: dropper [?] Engl. Title: Wrapper for Pinch'a, which protects it from known anti-virus detection. Features: The minimum amount of code dropper, a good patronage, the minimum import table may have the tricks with TLS Callback. Judging by a little analysis, Pinch drops directly into the system. Reaction antivirusResults on Virustotal - 10 of 35.As you can see, Kaspersky / NOD32 / Symantec / Panda / McAfee - in the span. The ideal operation of BitDefender / Webwasher. The remaining heuristics (miracle). More informationNeighbor-cohesion found habrayuzerom ognevskyaccepted measuresAbuse hosterRegistration Service Provided By: ESTDOMAINS INC Contact: +1.3027224217 Website: www.estdomains.com Domain Name: FEELS-ENERGY.COM Registrant: feels-energy Sem (analizsite@gmail.com) NY, 3741 Baychester Avenue, (Annex), Bronx New York New York, 10466 US Tel. +1.7186556660 Creation Date: 01-Aug-2008 Expiration Date: 01-Aug-2009 Domain servers in listed order: ns2.cheapoem.biz ns1 . cheapoem.biz PS. Small "situation analysis" is a purely personal opinion of the author and based on his experience, intuition and knowledge. The author is not a specialist in information security, he is an amateur. UPD. Updated information on the registration of the domain name to send abuse UPD. Updated the topic. Now links to Malvar are encrypted. The rest of the mask, so that you can recognize this Malvar without decoding. UPD. News from DrWeb'a - «Your request has been analyzed. Record of the new virus is added to the database. Virus: Trojan.PWS.LDPinch.4182 », thanks habrapolzovatelyu vilgeforce | |
|
| |
| Total comments: 0 | |