A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7085  by Maxstar
 Tue Jul 05, 2011 11:05 am
I found this fake 'mbam' installer in a samples package of malwares.pl (03-04.07.2011.7z)
This installer refers to antother site with many fake installers. hxxp://shareware.pro/index.php

I already posted a warning on my dutch forum.
http://www.pcwebplus.nl/phpbb/viewtopic ... 213&t=5046

Edit:
The host: hxxp://www.vista.es/installers/ is down i see?
 #7091  by EP_X0FF
 Tue Jul 05, 2011 6:00 pm
AV SMS Hoax

Some fake scanner page working as SMS hoax.

hxxp://antivirus-v854427062.dyndns-web.com/

First it displays usual fake scanner process.

Image

Total random of course.
Code: Select all
function re7a59e(){
	ga5faef8 = Math.round(100 - $("#fast").width() / 418 * 100);
	$("#pp").text(ga5faef8 + "%");
	$("#elysium").html('Сейчас сканируется: ' + def6f84[Math.floor(Math.random()*100)] + '.' + x7ff4[Math.floor(Math.random()*51)]);
	var rand1 = Math.floor(Math.random()*(8));
	var rand2 = Math.floor(Math.random()*(10));
	process.progress1 += rand1;
	if(rand1 < 4){
		process.found.c.html('<span class="supergirl">Найдено вирусов: '+process.progress1+'</span>');
		$("#dj1").removeClass("none");
	}
	if(rand2 < 3){
		process.progress2 += rand2;
		process.found.d.html('<span class="supergirl">Найдено вирусов: '+process.progress2+'</span>');
		$("#dj2").removeClass("none");
	}
	if(rand1 > rand2 && ga5faef8 > 40){
		process.progress3 += rand2;
		process.found.s.html('<span class="supergirl">Найдено вирусов: '+process.progress3+'</span>');
		$("#dj3").removeClass("none");
	}
	if(rand1 > rand2 && ga5faef8 > 60){
		process.progress4 += rand1 - 2;
		process.found.m.html('<span class="supergirl">Найдено вирусов: '+process.progress4+'</span>');
	}
}
Next it ask your phone number.

Image

you can't enter crap or the same tel number as was in example
Code: Select all
 if( (tmp_num.length!=11) || (tmp_num.substring(0,2)!='79') || tmp_num=='79117776655'){
		alert("Неверно указан номер!\n\rФормат ввода: +79117776655");
}
Once you enter valid number it asks you to send SMS to get activation code.

Image

Don't waste your money for this crap, get the activation code here! :)
Code: Select all
function check_code(){
	if(  (document.getElementById('code').value!="37823") ){
		alert("Неверный кoд!");
	}else{
                prdl = true;
                document.getElementById('codewnd').style.display="none";
                document.getElementById('dwnloads').style.display="block";
	}
}
And now you are allowed to download super antivirus software!

Image


What is it?

It is freeware CLAMAV
ClamWin - Свободный антивируcный сканер для платформ Microsoft Windows
98/Me/2000/XP/2003/Vista. Он обеспечивает графичеcкий интерфейс
пользователя к программе Clam AntiVirus .
Возможности включают в себя:

* Планировщик сканирования по расписанию;
* Автоматическое обновление антивирусной базы. Команда ClamAV регулярно
обновляет антивирусную базу сразу же после появления новых вирусов или их
вариантов;
* Антивирусный сканер;
* Интеграция в контекстное меню Проводника Windows (Microsoft Windows
Explorer);
* Плагин для Microsoft Outlook.

Последняя версия Clamwin Free Antivirus - 0.96.5
*FACEPALM*
 #7155  by EP_X0FF
 Fri Jul 08, 2011 4:47 pm
Browser SMS Hoax

source hxxp://ieup.co.cc/

the same like AV hoax, just in this case you must install new secured browser.

For downloading IE8 (yes, this is payload)

Startup (scanning and compiling "update")

Image

Give me your phone number and please send SMS

Image

Secret key to save money :)
Code: Select all
function check_code()
		{
			if( (document.getElementById('code').value!="473282") && (document.getElementById('codesub').value!="473282") )
			{
				alert("Неверный код!");
			}
			else
			{
				document.getElementById('activation').style.display="none";
				document.getElementById('activationsubcode').style.display="none";
				document.getElementById('activated').style.display="block";
				set_cookie('m','1',2*60*60);
			}
		}
Download IE8 copy from Yandex and enjoy to be completely fooled.

Image
 #7158  by Xylitol
 Fri Jul 08, 2011 7:17 pm
Trojan.Kardphisher

Image

Image

Image

Image

Image

20/43 >> 46.5%
http://www.virustotal.com/file-scan/rep ... 1310152146

btw for the Browser SMS Hoax >> http://www.co.cc/prosecution/prosecution.php
Attachments
pwd: xylibox
(215.05 KiB) Downloaded 63 times
pwd: xylibox
(280.32 KiB) Downloaded 71 times
 #7189  by Xylitol
 Sun Jul 10, 2011 5:15 pm
Pharma spam

Fake Pharma site:
Image

Fake Cigs site:
Image

leaked from Pharmincome/Cigincome affiliates.
Attachments
pwd: xylibox
(1.67 MiB) Downloaded 60 times
pwd: xylibox
(3.3 MiB) Downloaded 62 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 12