A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20489  by Xylitol
 Wed Aug 14, 2013 5:14 pm
http://www.f-secure.com/weblog/archives/00002590.html

Malicious url:
Code: Select all
http://d7586.com/
https://www.virustotal.com/en/ip-addres ... formation/
https://www.virustotal.com/en/file/1449 ... 376502251/
US landing in attach.

Anti right-click:
Code: Select all
document.ondragstart = test;
document.onselectstart = test;
document.oncontextmenu = test;
function test() {
return false;
} 
Anti Ctrl+U/C/A
Code: Select all
function catchControlKeys(event){
var code=event.keyCode ? event.keyCode : event.which ? event.which : null;
if (event.ctrlKey){
// Ctrl+U
if (code == 117) return false;
if (code == 85) return false;
// Ctrl+C
if (code == 99) return false;
if (code == 67) return false;
// Ctrl+A
if (code == 97) return false;
if (code == 65) return false;
}
} 
Check if the MoneyPak code have a lenght of 14:
Code: Select all
if(input[0].value != '' && input[0].value.length != 14 )
'lock tab' code is in iframe:
Image
Image
Attachments
infected
(477.83 KiB) Downloaded 155 times
 #21257  by Flamef
 Sun Oct 27, 2013 10:29 pm
Hi,just found a new variant of the Greek version,it is not listed here https://www.botnets.fr/index.php/Landings_GR so please submit it there
This is the site :
hXXp://asvert.7mwo.us/games/83pGFdBUXMKn2dOJ4q9XKoCdFC6ttzHuK_/ZTqVLU-EEkX-les/XcByrlH5UANc34wXBDBXVHDM41Zuct4OJz9Qg~~/MjhkYmJmZDJlNTI4YzQ2OTcwYWFlMTVlMjc1
It doesn't block your computer,it just shows the warning,but it doesnt block the screen.
What i mean is :
Image
P.S: Someone move this post wherever it should be.The old man is a greek politician :D .
 #21500  by Win32:Virut
 Sat Nov 30, 2013 11:02 am
_hxxp://nijd2.meyair.com/copyright/TufPN8S9mPZBwbs_/5HAQbfPaX-MGX5DVXIAAmVc35XtQjUNZVN5ZCx_/qHynE4bOE98nfT3/hNb-ICQBlIWvyKeg~~/YzI1MDQ3YmFjNjE0MWI4NjlhODE4MGM0Yz
_hxxp://nijd2.meyair.com/cyberpolice/WYpnL2wEW0kyv1uCsKL9pZtMYXsnOO8O0QXv66gMC46RwHVNxfWr8ex61/usr1UhD1J5fyl72IWtxfEhClViJ8A~~/ZWM4YTQ5NGMxYzhlMTFlNDA2OGVlZDVl
 #21512  by Win32:Virut
 Sun Dec 01, 2013 1:11 pm
_hxxp://solif2.sofilos.com/copyright/kJqtzBa4RN1J4D2Nb3WyrN9FF67vkAcru8cf2EF0oCdPSVVu9pl6vlCR_/P6KBg/0vY_/AslRG89VtQXpXjgaqYcg%7E%7E/N2FjZjM3ZTIwN2NlNmUzZTFmNTUyODhmNDAyZ
 #21635  by Xylitol
 Mon Dec 09, 2013 5:44 pm
Code: Select all
hxxp://z7752.com/checkout.php?step=1
hxxp://europol.europe.eu.france.id911463879-4405515776.a1751.com
hxxp://fbi.gov.id911463879-4405515776.a1751.com
hxxp://polizei.de.id947857189-3979898726.f1207.com
hxxp://politi.no.id764784884-6682874677.b4326.com
hxxp://polizia-penitenziaria.it.id764784884-6682874677.b4326.com
hxxp://afp.gov.au.id764784884-6682874677.b4326.com
hxxp://politi.no.id764784884-6682874677.b4326.com
hxxp://polfed-fedpol.id764784884-6682874677.b4326.com
hxxp://rcmp.gc.ca.id764784884-6682874677.b4326.com
193.169.87.247
 #21808  by korn36
 Sat Dec 28, 2013 7:54 am
Code: Select all
hxxp://police-guardian.net/
Multilanguage. I ran a script which loops over a list of ISO-3116-1 Alpha-2 country codes and checks if the header.jpg file for each country exists on the site.
Results: AU, AT, BE, BO, CA, CY, CZ, EC, FI, FR, DE, GR, HU, IE, IT, LV, MX, NL, NZ, NO, PL, PT, RO, SK, SI, ES, SE, CH, TR, GB.
Some screenshots:
Image
Image