Pages

11/09/2010

A virus i got from Multiply's message

I just got an email from Multiply, saying a guy name "zihemesujyje" (pretending to be one of my friends) wants me to watch a video , which is still loading...

A very clever trick, I might say. It's just an animated gif file. See this...

Interesting,...

Now, I want to see if I (accidentally) clicked on the VDO, where would it send me.
I grabbed the link on the VDO , saying  it'll send me to   http://bit.ly/9hrxN3

Hmm..."bit.ly"
Again, clever trick to hide real URL.

with a common tool like curl,  I discovered the real URL is http://fullstreamnow.electronica2000.org/video2/video.php?q=1289206918

I then did a search on Google to see what the heck is "electronica2000.org"
It was none!

digging on domain  electronica2000.org , it's registered in
209.51.195.117 (Marina Del Rey, CA, US)

but that doesn't tell me anything.

so,...only thing I can do is... go to the page

OK, now let's see what'll happen if I go there.

A large fake vdo web page, that does not allow me to go anywhere else, or click Cancel.
It'll show popup all the time.

I have no choice but to click "OK" to download.

A file named "divxplayer.exe" then downloaded into my computer, waiting for me to run it.
(MD5: 0xD92EC5F2F4215737A8BC62B47E50DDAC)


Unfortunately? I'm not gonna run it, of course.

but, I sent it to check.


Here's some result that I can piece together.

  • This program tries to search for phone book file (*.pbk) and tries to setup RAS (remote access service) to establish some kind of dial-up connections
  • This program tries to search for some files in several major software's path, e.g. Adobe Acrobat, MS Office, IE, mIrc,..etc. Then does some damage to it.
  • Setting itself to be autorun when startup, it modifies following Registry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Setup\Files
  • Somehow, it manages to connect outside, to http://http-star.tk/httpss/v=78&step=2&hostid=ECCB2C6A77FA57971BADB6A24FDB1C34
    • IP: 69.64.63.224

Surprisingly, only 12 AVs from 42 Avs can be able to detect it as virus.

I guess, it's quite new.

So, I don't have things to say much, only "Be careful" on anything you can click.

No comments:

Post a Comment