A virus i got from Multiply's message

I just got an email from Multiply, saying a guy name "zihemesujyje" (pretending to be one of my friends) wants me to watch a video , which is still loading...

A very clever trick, I might say. It's just an animated gif file. See this...


Now, I want to see if I (accidentally) clicked on the VDO, where would it send me.
I grabbed the link on the VDO , saying  it'll send me to

Again, clever trick to hide real URL.

with a common tool like curl,  I discovered the real URL is

I then did a search on Google to see what the heck is ""
It was none!

digging on domain , it's registered in (Marina Del Rey, CA, US)

but that doesn't tell me anything.

so,...only thing I can do is... go to the page

OK, now let's see what'll happen if I go there.

A large fake vdo web page, that does not allow me to go anywhere else, or click Cancel.
It'll show popup all the time.

I have no choice but to click "OK" to download.

A file named "divxplayer.exe" then downloaded into my computer, waiting for me to run it.
(MD5: 0xD92EC5F2F4215737A8BC62B47E50DDAC)

Unfortunately? I'm not gonna run it, of course.

but, I sent it to check.

Here's some result that I can piece together.

  • This program tries to search for phone book file (*.pbk) and tries to setup RAS (remote access service) to establish some kind of dial-up connections
  • This program tries to search for some files in several major software's path, e.g. Adobe Acrobat, MS Office, IE, mIrc,..etc. Then does some damage to it.
  • Setting itself to be autorun when startup, it modifies following Registry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Setup\Files
  • Somehow, it manages to connect outside, to
    • IP:

Surprisingly, only 12 AVs from 42 Avs can be able to detect it as virus.

I guess, it's quite new.

So, I don't have things to say much, only "Be careful" on anything you can click.

No comments:

Post a Comment