The Analysis of Mystery Web Attack Hijacks Your Clipboard
Recently, The Register reported "Mystery web attack hijacks your clipboard", what happened? The conclusion is attacker tries to lure users to install a fake antivirus software and most people guess attacker uses Adobe Flash's vulnerability.
When clicked link (first picture), it will display the following screens:
When clicked, wireshark captures files downloaded as below:
==The following focus on Web Reputation Service Testing==
Google Search CANNOT find it as below:
McAfee SiteAdvisor CANNOT find it as below:
Trend Micro WRS CANNOT find it as below:
finjan URL analysis CAN find it as below:
Dr.Web URL analysis CANNOT find it as below:
Exploit Prevention Labs's LinkScanner CANNOT find it as below:
Symantec Safe Web CANNOT find it as below:
==The following focus on AV Scanners Testing==
File AV2009Install_77011807.exe received on 08.17.2008 09:39:49 (CET)
Result: 8/36 (22.22%)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 -
AntiVir 7.8.1.19 2008.08.16 -
Authentium 5.1.0.4 2008.08.16 -
Avast 4.8.1195.0 2008.08.15 -
AVG 8.0.0.161 2008.08.16 Downloader.FraudLoad.E
BitDefender 7.2 2008.08.17 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.16 -
DrWeb 4.44.0.09170 2008.08.17 -
eSafe 7.0.17.0 2008.08.14 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.16 -
F-Prot 4.4.4.56 2008.08.16 -
F-Secure 7.60.13501.0 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
Fortinet 3.14.0.0 2008.08.17 -
GData 2.0.7306.1023 2008.08.16 Trojan-Downloader.Win32.FraudLoad.vbef
Ikarus T3.1.1.34.0 2008.08.17 -
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.17 -
NOD32v2 3361 2008.08.16 a variant of Win32/Adware.XPAntivirus
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.16 -
PCTools 4.4.2.0 2008.08.16 -
Prevx1 V2 2008.08.17 Fraudulent Security Program
Rising 20.57.61.00 2008.08.17 -
Sophos 4.32.0 2008.08.17 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.16 AntiVirus2009
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.16 -
VBA32 3.12.8.3 2008.08.15 -
ViRobot 2008.8.16.1338 2008.08.16 -
VirusBuster 4.5.11.0 2008.08.16 -
Webwasher-Gateway 6.6.2 2008.08.17 -
Additional information
File size: 123904 bytes
MD5…: 978e985fc9f6e206fe9622ba42dc3d56
SHA1..: a8b20d587d62e34865814053c8f87574e1ffe790
SHA256: a53458279fa483236a453d7abdc718de69c361198f09a74a9a1b44d259f573ad
SHA512: 392bd1b0fe6b93a7df153e0faf25e0dd0ac68b38bae642a8061e459b2942d26a
d168fcb8ddf6d5d3e09437d539f476aab5809a2745f617ff7b6ee30e23e22e4a
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×401210
timedatestamp…..: 0×45beb2d0 (Tue Jan 30 02:52:00 2007)
machinetype…….: 0×14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57af 0×5800 5.19 922e2eb51ad64e063aa3d5aa5876de09
.data 0×7000 0×11557 0×11600 7.59 49b48fe56d5a4dcb86a792659875b88a
.tls 0×19000 0xdd 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×1a000 0×18 0×200 0.23 735b48446022cb7f0d9c4163b238a9be
.idata 0×1b000 0×5a0 0×600 3.29 97c93ffb47f18bb84d88652306581d5e
.rsrc 0×1c000 0xf4a3 0×6600 5.76 0d0781c1bba73476a7428d3a1667a138
( 2 imports )
> KERNEL32.DLL: CreateProcessA, GetCommandLineA, DeleteAtom, GetFileSize, GetCPInfo, GetComputerNameA, ReadConsoleA, Sleep, WriteFile, OpenFile, GlobalFree, GetFileTime, DeleteFileW, ExitThread, FindFirstFileA, GetConsoleMode, DeleteFileA, SetLastError, OpenFileMappingA, FindAtomA, ReadFile, GetLastError
> USER32.DLL: LoadCursorA, GetCursor, DrawIconEx, CreateIcon, GetFocus, DialogBoxParamW, CopyRect, InsertMenuA, GetWindowTextA, DrawIcon
[Added process]
C:\Program Files\AV9\av2009.exe
[Modified service]
NAME: srservice
DISPLAY: System Restore Service (Turn off system restore service)
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Desktop\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\_freescan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winsystem[2].dll
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Program Files\AV9\av2009.exe
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc11.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\winsrc.dll
[Added COM/BHO]
{037C7B8A-151A-49E6-BAED-CC05FCB50328}-C:\WINDOWS\system32\winsrc.dll
[Added egistry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”
Label:
Malware
6 Comments:
Nice work, good to see the breakdown like this.
Excellent description.
My father has this on his PC, how should he go about removing it?
According to "After executed, it has the following behaviors", use Process Explorer (www.sysinternals.com) or GMER (http://www.gmer.net/gmer.zip) to remove related files, registries, processes etc.
I'm just a little confused, here. If I get that first faux-dialog pop-up, does that mean I already have have this virus? Or does it just mean that I'll get it if I click "OK"?
When you saw faux-diag pop-up, some components already have installed into your system, you can check step by step according to "after executed, it has the following behaviors".
What's so funny about these fake antivirus products is the distinct lack of branding - who'd call their antivirus "XP 2009"? Thankfully for us they haven't bothered to use any real trademarks such as "Norton Antivirus" yet on their products....
Post a Comment