CastleCops® Evil trucker?

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

Evil trucker?

All -> FavForums -> Web Malware Links

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

downie

PIRT Handler

Joined: May 19, 2006
Posts: 3982

Posted: Mon Feb 04, 2008 5:18 am Post subject: Evil trucker?

hxxp://autosolution.load4.net/ Lots of VBScript that looks suspect. This is a fake escrow site btw. _________________ "For evil to triumph utterly, it is only necessary that good men do nothing."

MAPKOBKA

Lieutenant

Premium Member

Joined: Jul 04, 2007
Posts: 163

Posted: Mon Feb 04, 2008 10:14 am Post subject:

Kaspersky identifies Trojan.VBS.StartPage.bk present on that page, and a heuristic verdict of Type_script. AhnLab-V3 2008.2.4.10 2008.02.04 - AntiVir 7.6.0.62 2008.02.04 VBS/MacDonald.A.1 Authentium 4.93.8 2008.02.03 VBS/StartPage.BO Avast 4.7.1098.0 2008.02.03 VBS:Malware-gen AVG 7.5.0.516 2008.02.03 - BitDefender 7.2 2008.02.04 Trojan.VBS.Autorun.J CAT-QuickHeal 9.00 2008.02.01 - ClamAV 0.92 2008.02.04 Trojan.VBS-5 DrWeb 4.44.0.09170 2008.02.04 SCRIPT.Virus eSafe 7.0.15.0 2008.01.28 - eTrust-Vet 31.3.5509 2008.02.04 - Ewido 4.0 2008.02.04 - FileAdvisor 1 2008.02.04 - Fortinet 3.14.0.0 2008.02.04 VBS/StartPage.BK!tr F-Prot 4.4.2.54 2008.02.03 VBS/StartPage.BO F-Secure 6.70.13260.0 2008.02.04 Type_Script Ikarus T3.1.1.20 2008.02.04 - Kaspersky 7.0.0.125 2008.02.04 Type_Script McAfee 5221 2008.02.01 VBS/Doli.worm Microsoft 1.3204 2008.02.04 Worm:VBS/Lido.gen!A NOD32v2 2845 2008.02.02 VBS/StartPage.BK Norman 5.80.02 2008.02.01 - Panda 9.0.0.4 2008.02.03 Suspicious file Prevx1 V2 2008.02.04 - Rising 20.29.22.00 2008.01.30 Unknown Sophos 4.26.0 2008.02.04 - Sunbelt 2.2.907.0 2008.02.02 - Symantec 10 2008.02.04 - TheHacker 6.2.9.208 2008.02.04 - VBA32 3.12.6.0 2008.02.03 - VirusBuster 4.3.26:9 2008.02.03 - Webwasher-Gateway 6.6.2 2008.02.04 Script.MacDonald.A.1 _________________ Kaspersky Lab Forum Moderator KL Cert PSP Virusinfo.info External Specialist Alliance of Security Analysis Professionals Member http://malwarecrawler.com - honeypot@malwarecrawler.com

bobby_

MIRT Hunter

Joined: Nov 04, 2006
Posts: 237
Location: Austria

Posted: Mon Feb 04, 2008 9:04 pm Post subject:

Account suspended. Can someone attach the page source? I would like to take a look at it. _________________ ASAP member

MAPKOBKA

Lieutenant

Premium Member

Joined: Jul 04, 2007
Posts: 163

Posted: Tue Feb 12, 2008 11:43 am Post subject:

Hi, no source code saved, but I have saved one of the .startpage objects that was being detected.

maliciousbrains

Sergeant

Premium Member

Joined: Feb 23, 2008
Posts: 103

Posted: Sat Feb 23, 2008 7:45 pm Post subject: EXE2VBS Virus

This is a Virus that has been converetd to VBS file with EXE2VBS utility. It infects the system and creates a copy of itself after renaming any doc/jpg file in the computer. It will execute and place a copy of the actual infected file Winini.dll inside the System32 folder and will make a registry run entry as well. It will attach itself wth Winlogon process as well. here are the findings: Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - VBS/MacDonald.A.1 Authentium - - VBS/StartPage.BO Avast - - VBS:Malware-gen AVG - - - BitDefender - - Trojan.VBS.Autorun.J CAT-QuickHeal - - - ClamAV - - - DrWeb - - SCRIPT.Virus eSafe - - - eTrust-Vet - - - Ewido - - - FileAdvisor - - - Fortinet - - - F-Prot - - VBS/StartPage.BO F-Secure - - Trojan.VBS.StartPage.bw Ikarus - - Trojan.VBS.StartPage.bw Kaspersky - - Trojan.VBS.StartPage.bw McAfee - - VBS/Doli.worm Microsoft - - Worm:VBS/Lido.gen!A NOD32v2 - - VBS/StartPage.BK Norman - - - Panda - - Suspicious file Prevx1 - - - Rising - - Unknown Script Virus Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - VBA32 - - - VirusBuster - - - Webwasher-Gateway - - Script.MacDonald.A.1 Additional information MD5: b8b72f5add2279d739107f008c102215 SHA1: 25c79fd0ec1a6e97effd0b57db7104f6e99fd776 SHA256: c1d6c6519f8264c42a3871a2dc16a0cffdb5680f3bfb50e35198bfee426c46f9 SHA512: 10b0295b765d556a9d7214bebc515b0259e75c96ff6eac05f5721515f44776d7 dd6f804c6da876fe0037b0d557c65353103dfe3961a6c7ee1187bd9decbf6220 Thanks & Regads... MaliciousBrains http://maliciousbrains.blogspot.com

	All -> FavForums -> Web Malware Links	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 131ppm 0.191s (0.047s) Making cybercriminals unhappy since 2002*