We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
I need confirmation or not of logic bomb virus
Comments
-
Latest news=
He thinks his computer is infected.
Waiting for phonecallAs surely as night follows day capitalism will come crumbling down. On a mission to secure a just and ethical society.0 -
Latest news=
He thinks his computer is infected.
Waiting for phonecall
Send him along :cool:4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy
CEC Email energyclub@moneysavingexpert.com0 -
The .php script redirects to vulnerabilityremedyactivity.info
I now have a popup telling me Windows Antivirus 2012 has found critical process activity... blah, blah...
Click OK to scan.
OK then....0 -
-
Of course!
I'll test the dropper on my live test box soon, but for now MBAM detects the file as:
DETECTION C:\Documents and Settings\All Users\Desktop\setup.exe Trojan.FakeAlert
Incidentaly, it initially blocked the IP range of the redirection.
7/42 at VT.
https://www.virustotal.com/file/8b6927edd7d05d0cef54736f550dba10ec046bd30f3b9d30a7ac84390f434da2/analysis/1337114685/0 -
PE Imports....................:
Is the stuff below that line what it dumps on the target system?0 -
No. They're the DLL function calls it imports.
http://en.wikipedia.org/wiki/Portable_Executable#Import_Table
Take the first one - oleaut32.dll VariantChangeTypeEx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms221634%28v=vs.85%29.aspx0 -
The .php script redirects to vulnerabilityremedyactivity.info
I now have a popup telling me Windows Antivirus 2012 has found critical process activity... blah, blah...
Click OK to scan.
OK then....
One thing I am curious about is why his email prog was hijacked. I thought that fake av's were there for the express reason of extorting money from the victim.
Was the email hijacker in the fake av payload or a secondary infection?
He says he has eradicated the problem. I'm not so sure. It was his daughters fault apparently on some music download site. Aol warned him that his email prog had probably been compromised. He definetly did not send this rogue email.As surely as night follows day capitalism will come crumbling down. On a mission to secure a just and ethical society.0 -
It's hard to say anything as we don't know what he was infected with, he may have been infected with something entirely different.
The .php script in the OP is redirecting to different named domains (last one was netscannerinformation.info) and delivering repacked files to avoid detection by AV's.
With the one I have, the main executable dropped by the payload is protector-****.exe, (where **** is random), dropped to %appdata%, loads from the HKCU/../Run key and runs as Windows Secure Surfer
It uses IFEO to prevent security software from running & disables TaskManager & Regedit.
http://www.threatexpert.com/report.aspx?md5=15e1fb92a3c6b89433d77f4682d188090
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.3K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.2K Work, Benefits & Business
- 603.9K Mortgages, Homes & Bills
- 178.4K Life & Family
- 261.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.7K Read-Only Boards