aztecx Posted May 21, 2009 Posted May 21, 2009 I believe there may have been 3 viruses that were attached to the infected file I executed but here are samples of two of them. One is a dump while the other is just the original file that was copied into the temp folder at execution.Anyways I've attached a rar file with the two infected files. Anyone that collects malware enjoy.Anyways as I'm still in the process of trying to remove it so hopefully I don't run into any big difficulties.PASS - aztecxMalware.rar
CodeExplorer Posted May 21, 2009 Posted May 21, 2009 (edited) You may want to rename your file from exe to vir or something: just to make sure that nobody will infect their computer!Dumped - Trojan.Fakealert.3753 ?http://www.virustotal.com/ro/analisis/a8d7...e0dc1933e1c238dhttp://virusscan.jotti.org/en/scanresult/4...2a39780400da1dbsilent.vir:http://www.virustotal.com/ro/analisis/cde6...3114f386f64ae02threatexpert on Dumped.vir:http://www.threatexpert.com/report.aspx?md...de850ebb098cf33threatexpert on silent.vir:http://www.threatexpert.com/report.aspx?md...5961f1806b515d1 Edited May 21, 2009 by CodeRipper
aztecx Posted May 21, 2009 Author Posted May 21, 2009 (edited) Ok I'm pretty sure i've removed it completely. Anyways one of the viruses actually makes changes to:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Systemand modifies two registry entries in there to make sure you arn't able to change your desktop background. This didn't actually show up in anubis which kind of sucks.All my restore points have been deleted by the virus and the only one in existence has been created after infection.The virus makes a number of connection attempts to one domain and one IP address.(and no i was not downloading p**n haha)www.lovelyp**novideo.netRegistration Service Provided By: Triple8 NetworkContact: Visit: www.888.netDomain name: 206.netRegistrant Contact: Triple8 Network Sys Admin () Fax: 1225 W.190th St., 240 Gardena, CA 90248 USAdministrative Contact: NA Louis R Vazquez () +1.3105335855 Fax: +1.3105335845 350 S. Crenshaw Blvd. Suite A202 Torrance, CA 90503 USTechnical Contact: Triple8 Network Sys Admin () +1.8005459902 Fax: +1.3105161162 1225 W.190th St., 240 Gardena, CA 90248 USStatus: LockedName Servers: NS1.888.net NS2.888.netCreation date: 23 May 1996 04:00:00Expiration date: 24 May 2010 04:00:00206.51.235.145OrgName: NOC4Hosts Inc. OrgID: NOC4HAddress: 4465 W. Gandy BlvdAddress: Suite 812City: TampaStateProv: FLPostalCode: 33611Country: USReferralServer: rwhois://rwhois.noc4hosts.com:4321/NetRange: 206.51.224.0 - 206.51.239.255 CIDR: 206.51.224.0/20 NetName: NOC4HOSTSNetHandle: NET-206-51-224-0-1Parent: NET-206-0-0-0-0NetType: Direct AssignmentNameServer: NS.NOC4HOSTS.COMNameServer: NS2.NOC4HOSTS.COMComment: RegDate: 2004-04-30Updated: 2004-04-30OrgAbuseHandle: NAA7-ARINOrgAbuseName: Noc4Hosts Abuse Admin OrgAbusePhone: +1-877-801-1443OrgAbuseEmail: abuse@noc4hosts.comOrgTechHandle: IPADM158-ARINOrgTechName: IP Admin OrgTechPhone: +1-877-801-1443OrgTechEmail: noc@noc4hosts.com Edited May 21, 2009 by aztecx
CodeExplorer Posted May 22, 2009 Posted May 22, 2009 I send these viruses to Kaspersky and here is the result:Dumped.vir: This file is corrupted.silent.vir: Trojan-Downloader.Win32.Delf.ppysilent.vir is a trojan so you don't have what to clear from that file:the hole file is malicious!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now