CastleCops® another variant of the redir.html/video.exe hacked websites

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

another variant of the redir.html/video.exe hacked websites

All -> FavForums -> Unknown Files

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2895

Posted: Mon Apr 28, 2008 12:27 am Post subject: another variant of the redir.html/video.exe hacked websites

I submitted the links to MIRT, but I grabbed a copy of the download from one of the sites. There are several new ones every day.There are two types of spams 1. spams subjects like "We caught you naked alphacentauri" with a link to a website that has been hacked to include the file "video.exe," 2. spams subjects with some numerical percentage like "95% off for alphacentauri" and a fake google page ad link to a website hacked to include the file "redir.html." The redir.html files redirect to a Canadian Pharmacy site, sugaronly.com. For both types, you can substitute the other file name and usually find it is there as well (occasional webmasters find the video.exe but neglect to delete the redir.html). They were originally coming up as Storm, which was expected, since storm sites have previously redirected to Canadian Pharmacy sites. Lately they were coming up as Zlob. Example: spammed link: http://www.google.de/pagead/iclk?sa=l&ai=IWSjaU&num=30098&adurl=http://impresalavoro.it/redir.html malware link: http://impresalavoro.it/video.exe This one is detected by 11/32 on VirusTotal, and there is no consensus whether it is storm or zlob or something else. These are unlike the usual storm infected sites. Those still have a page title called "Hot new clips added daily" and an image with text, "You have no Storm Codec on your PC. Download it and choose either "Open" or "Run". Enjoy your multimedia experience! " If you look for that image by name, it won't be on these sites. Also, if you go back to older spams, if the sites have not been disinfected, the versions of the malware will not have been updated to the same version as the new sites. They just distribute the malware but don't act infected themselves. VirusTotal: http://www.virustotal.com/analisis/16dd316fb729687c742fea2bd857ef10 File video.exe.txt received on 04.28.2008 01:45:31 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.4.25.2 2008.04.25 - AntiVir 7.8.0.10 2008.04.27 TR/Crypt.XPACK.Gen Authentium 4.93.8 2008.04.27 - Avast 4.8.1169.0 2008.04.27 - AVG 7.5.0.516 2008.04.27 Downloader.Zlob.12.AH BitDefender 7.2 2008.04.28 - CAT-QuickHeal 9.50 2008.04.26 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.27 - DrWeb 4.44.0.09170 2008.04.27 - eSafe 7.0.15.0 2008.04.27 Suspicious File eTrust-Vet 31.3.5736 2008.04.26 - Ewido 4.0 2008.04.27 - F-Prot 4.4.2.54 2008.04.27 - F-Secure 6.70.13260.0 2008.04.28 Trojan.Win32.Agent.kwo FileAdvisor 1 2008.04.28 - Fortinet 3.14.0.0 2008.04.27 - Ikarus T3.1.1.26.0 2008.04.28 Trojan.Win32.Revelation Kaspersky 7.0.0.125 2008.04.28 Trojan.Win32.Agent.kwo McAfee 5282 2008.04.25 - Microsoft 1.3408 2008.04.22 TrojanDropper:Win32/Nuwar.gen!lds NOD32v2 3058 2008.04.27 - Norman 5.80.02 2008.04.25 - Panda 9.0.0.4 2008.04.27 - Prevx1 V2 2008.04.28 - Rising 20.41.62.00 2008.04.27 - Sophos 4.28.0 2008.04.27 Mal/EncPk-CG Sunbelt 3.0.1056.0 2008.04.17 - Symantec 10 2008.04.28 - TheHacker 6.2.92.294 2008.04.26 - VBA32 3.12.6.5 2008.04.26 Trojan.Win32.Revelation VirusBuster 4.3.26:9 2008.04.27 - Webwasher-Gateway 6.6.2 2008.04.27 Trojan.Crypt.XPACK.Gen Additional information File size: 91648 bytes MD5...: 69d105a56cc43f42dd32ef288a51d906 SHA1..: 61edc58ff77032c792b910482dda3f3fe02f9c8a SHA256: 81d7469d6bbc3c7819d55c7872707c5382521b1f4b4f81188346c1515c086ec6 SHA512: 69057db82554d1538cb544ffefb28df664b9aa8f7da309aa55608155f1ad0b53 4fa580bc03d49ab66180f66d83a9000e84f66bbe4e38c802f243a77d338622ae PEiD..: - PEInfo: PE Structure information Jotti: Scan taken on 28 Apr 2008 00:00:23 (GMT) A-Squared Found nothing AntiVir Found TR/Crypt.XPACK.Gen ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Downloader.Zlob.12.AH BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Trojan.Win32.Agent.kwo Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found Trojan.Win32.Agent.kwo NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found Mal/EncPk-CG VirusBuster Found nothing VBA32 Found Trojan.Win32.Revelation

AlphaCentauri

SIRT Handler
Premium Member

Joined: Nov 20, 2003
Posts: 2895

Posted: Mon Apr 28, 2008 12:37 am Post subject:

Here's a copy of the current Storm worm, which is different: VirusTotal http://www.virustotal.com/analisis/60b7341d1d6a6ba5304914bc9375f2bb File StormCodec8.exe.txt received on 04.28.2008 02:29:19 (CET) Result: 7/32 (21.88%) Antivirus Version Last Update Result AhnLab-V3 2008.4.25.2 2008.04.25 - AntiVir 7.8.0.10 2008.04.27 HEUR/Malware Authentium 4.93.8 2008.04.27 - Avast 4.8.1169.0 2008.04.27 - AVG 7.5.0.516 2008.04.27 - BitDefender 7.2 2008.04.28 - CAT-QuickHeal 9.50 2008.04.26 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.27 - DrWeb 4.44.0.09170 2008.04.27 - eSafe 7.0.15.0 2008.04.27 Suspicious File eTrust-Vet 31.3.5736 2008.04.26 - Ewido 4.0 2008.04.27 - F-Prot 4.4.2.54 2008.04.27 - F-Secure 6.70.13260.0 2008.04.28 Email-Worm.Win32.Zhelatin.yd FileAdvisor 1 2008.04.28 - Fortinet 3.14.0.0 2008.04.27 - Ikarus T3.1.1.26 2008.04.28 - Kaspersky 7.0.0.125 2008.04.28 Email-Worm.Win32.Zhelatin.yd McAfee 5282 2008.04.25 - Microsoft 1.3408 2008.04.22 Backdoor:Win32/Nuwar.A NOD32v2 3058 2008.04.27 - Norman 5.80.02 2008.04.25 - Panda 9.0.0.4 2008.04.27 - Prevx1 V2 2008.04.28 - Rising 20.41.62.00 2008.04.27 - Sophos 4.28.0 2008.04.27 - Sunbelt 3.0.1056.0 2008.04.17 - Symantec 10 2008.04.28 - TheHacker 6.2.92.294 2008.04.26 - VBA32 3.12.6.5 2008.04.26 - VirusBuster 4.3.26:9 2008.04.27 - Webwasher-Gateway 6.6.2 2008.04.27 Heuristic.Malware Additional information File size: 132609 bytes MD5...: 734dd6224d3061011f924faabc209c00 SHA1..: b0704097fc23d71b8eb650c60f39aa137f61d4dc SHA256: ac0fb07310c14ac4115a1bc0fbca05c72fff21943141aa40ccc192f0e64d0094 SHA512: 9d3acbcc3cf41f254f51ab5286b734a7513078c115c312ac5c9552b185708578 d7a17578aec658c6a049ef5bc6be389e166b51940117e93cf6ded54b403c0daf

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5879

Posted: Tue Apr 29, 2008 4:17 pm Post subject:

I've added StormCodec8.exe to the malware listserv. /p1083917-MD5_734dd6224d3061011f924faabc209c00_StormCodec8_exe.html _________________ Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender. Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

	All -> FavForums -> Unknown Files	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 179ppm 0.311s (0.043s) Making cybercriminals unhappy since 2002*