[CloneRanger]

Hi, i wonder if you can explain this please.

Badware @ hxxp://www.claassen-eisbedarf.de

Allowed Scripting & Requests in FF.

Invokes FF Plugin Container which i allowed through my FW. Soon after i was notified that the Plugin Container had crashed. Avira alerted me to the Malware, but i allowed them to be DL'd after being prompted.

temp\wpbt0.dll found in Temporary Internet Files

Something automatically launched regsvr.32.exe ?

w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6 = found in Temp file. When i copied it to my desktop it morphed into contacts[1].exe

hxxp://seriusmazaloa.com/w.php?f=79&e=6 is serving other Malware eg calc.exe

What i'm interested in, is how did w.php?f=79&e=6 morph into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

TIA

PW = infected

[EP_X0FF]

Blackhole EK

[CloneRanger]

@ EP_X0FF

Hi, Thanks for the link :) I now see it was wpbt0.dll that automatically launched regsvr.32.exe after all ;)

I didn't find any info though as to how w.php?f=79&e=6 morphs into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

Any info would be appreciated :)

[EP_X0FF]

@ EP_X0FF

Hi, Thanks for the link :) I now see it was wpbt0.dll that automatically launched regsvr.32.exe after all ;)

I didn't find any info though as to how w.php?f=79&e=6 morphs into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

Any info would be appreciated :)

Blackhole executes java script when you visit it dropzone. This java script deobfuscates itself and executes another java script which is trying to launch exploits. In case of successful exploiting payload is dropped on target machine and it's launch executed. You probably don't know how Internet Explorer cache works if asking for

w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6 = found in Temp file. When i copied it to my desktop it morphed into contacts[1].exe

Nothing is morhing.

w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6

This is address of Blackhole payload, in cache it contains only half of full name -> w.php?f=79&e=6, why? I don't know ask Explorer developers. When you popup properties with Explorer it will display full URI address -> hxxp://seriusmazaloa.com/w.php?f=79&e=6. Once this cache item copied elsewhere outside it will be automatically renamed to it actual name as Blackhole script told -> contacts[1].exe (probably contacts.exe already exists in cache).

[CloneRanger]

@ EP_X0FF

You probably don't know how Internet Explorer cache works if asking for

Funny thing though, i was using FF !

Nothing is morhing.

OK, it just appeared that way to me.

in cache it contains only half of full name -> w.php?f=79&e=6, why? I don't know

Yeah, wierd. I wonder if the've discovered a new trick to try & hide the www ?

Once this cache item copied elsewhere outside it will be automatically renamed to it actual name as Blackhole script

Interesting, live & learn ;)

Thanks for the details etc :)

[EP_X0FF]

I'm not familiar with modern firefox, because I stopped using it few years ago.

What I want to say is that weird naming on the picture you have attached - is only a way how windows shell (Explorer) shows contents of Temporary Internet Files.

You can see yourself - go to Temporary Internet Files. Every file will be displayed in such manner.

[CloneRanger]

@ EP_X0FF

Thanks for the extra info :)

[Disillusion]

update your jre ;)