We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
I need confirmation or not of logic bomb virus
Options
Comments
-
Latest news=
He thinks his computer is infected.
Waiting for phonecallAs surely as night follows day capitalism will come crumbling down. On a mission to secure a just and ethical society.0 -
-
The .php script redirects to vulnerabilityremedyactivity.info
I now have a popup telling me Windows Antivirus 2012 has found critical process activity... blah, blah...
Click OK to scan.
OK then....0 -
-
Of course!
I'll test the dropper on my live test box soon, but for now MBAM detects the file as:
DETECTION C:\Documents and Settings\All Users\Desktop\setup.exe Trojan.FakeAlert
Incidentaly, it initially blocked the IP range of the redirection.
7/42 at VT.
https://www.virustotal.com/file/8b6927edd7d05d0cef54736f550dba10ec046bd30f3b9d30a7ac84390f434da2/analysis/1337114685/0 -
PE Imports....................:
Is the stuff below that line what it dumps on the target system?0 -
No. They're the DLL function calls it imports.
http://en.wikipedia.org/wiki/Portable_Executable#Import_Table
Take the first one - oleaut32.dll VariantChangeTypeEx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms221634%28v=vs.85%29.aspx0 -
The .php script redirects to vulnerabilityremedyactivity.info
I now have a popup telling me Windows Antivirus 2012 has found critical process activity... blah, blah...
Click OK to scan.
OK then....
One thing I am curious about is why his email prog was hijacked. I thought that fake av's were there for the express reason of extorting money from the victim.
Was the email hijacker in the fake av payload or a secondary infection?
He says he has eradicated the problem. I'm not so sure. It was his daughters fault apparently on some music download site. Aol warned him that his email prog had probably been compromised. He definetly did not send this rogue email.As surely as night follows day capitalism will come crumbling down. On a mission to secure a just and ethical society.0 -
It's hard to say anything as we don't know what he was infected with, he may have been infected with something entirely different.
The .php script in the OP is redirecting to different named domains (last one was netscannerinformation.info) and delivering repacked files to avoid detection by AV's.
With the one I have, the main executable dropped by the payload is protector-****.exe, (where **** is random), dropped to %appdata%, loads from the HKCU/../Run key and runs as Windows Secure Surfer
It uses IFEO to prevent security software from running & disables TaskManager & Regedit.
http://www.threatexpert.com/report.aspx?md5=15e1fb92a3c6b89433d77f4682d188090
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.6K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.4K Spending & Discounts
- 243.6K Work, Benefits & Business
- 598.4K Mortgages, Homes & Bills
- 176.8K Life & Family
- 256.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards