Monday, August 18, 2008

The Analysis of Mystery Web Attack Hijacks Your Clipboard

Recently, The Register reported "Mystery web attack hijacks your clipboard", what happened? The conclusion is attacker tries to lure users to install a fake antivirus software and most people guess attacker uses Adobe Flash's vulnerability.

When clicked link (first picture), it will display the following screens:

























When clicked, wireshark captures files downloaded as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

File AV2009Install_77011807.exe received on 08.17.2008 09:39:49 (CET)

Result: 8/36 (22.22%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 -
AntiVir 7.8.1.19 2008.08.16 -
Authentium 5.1.0.4 2008.08.16 -
Avast 4.8.1195.0 2008.08.15 -
AVG 8.0.0.161 2008.08.16 Downloader.FraudLoad.E
BitDefender 7.2 2008.08.17 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.16 -
DrWeb 4.44.0.09170 2008.08.17 -
eSafe 7.0.17.0 2008.08.14 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.16 -
F-Prot 4.4.4.56 2008.08.16 -
F-Secure 7.60.13501.0 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
Fortinet 3.14.0.0 2008.08.17 -
GData 2.0.7306.1023 2008.08.16 Trojan-Downloader.Win32.FraudLoad.vbef
Ikarus T3.1.1.34.0 2008.08.17 -
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.17 -
NOD32v2 3361 2008.08.16 a variant of Win32/Adware.XPAntivirus
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.16 -
PCTools 4.4.2.0 2008.08.16 -
Prevx1 V2 2008.08.17 Fraudulent Security Program
Rising 20.57.61.00 2008.08.17 -
Sophos 4.32.0 2008.08.17 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.16 AntiVirus2009
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.16 -
VBA32 3.12.8.3 2008.08.15 -
ViRobot 2008.8.16.1338 2008.08.16 -
VirusBuster 4.5.11.0 2008.08.16 -
Webwasher-Gateway 6.6.2 2008.08.17 -

Additional information
File size: 123904 bytes
MD5…: 978e985fc9f6e206fe9622ba42dc3d56
SHA1..: a8b20d587d62e34865814053c8f87574e1ffe790
SHA256: a53458279fa483236a453d7abdc718de69c361198f09a74a9a1b44d259f573ad
SHA512: 392bd1b0fe6b93a7df153e0faf25e0dd0ac68b38bae642a8061e459b2942d26a
d168fcb8ddf6d5d3e09437d539f476aab5809a2745f617ff7b6ee30e23e22e4a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×401210
timedatestamp…..: 0×45beb2d0 (Tue Jan 30 02:52:00 2007)
machinetype…….: 0×14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57af 0×5800 5.19 922e2eb51ad64e063aa3d5aa5876de09
.data 0×7000 0×11557 0×11600 7.59 49b48fe56d5a4dcb86a792659875b88a
.tls 0×19000 0xdd 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×1a000 0×18 0×200 0.23 735b48446022cb7f0d9c4163b238a9be
.idata 0×1b000 0×5a0 0×600 3.29 97c93ffb47f18bb84d88652306581d5e
.rsrc 0×1c000 0xf4a3 0×6600 5.76 0d0781c1bba73476a7428d3a1667a138

( 2 imports )
> KERNEL32.DLL: CreateProcessA, GetCommandLineA, DeleteAtom, GetFileSize, GetCPInfo, GetComputerNameA, ReadConsoleA, Sleep, WriteFile, OpenFile, GlobalFree, GetFileTime, DeleteFileW, ExitThread, FindFirstFileA, GetConsoleMode, DeleteFileA, SetLastError, OpenFileMappingA, FindAtomA, ReadFile, GetLastError
> USER32.DLL: LoadCursorA, GetCursor, DrawIconEx, CreateIcon, GetFocus, DialogBoxParamW, CopyRect, InsertMenuA, GetWindowTextA, DrawIcon

After executed, it has the following behaviors:

[Added process]
C:\Program Files\AV9\av2009.exe

[Modified service]
NAME: srservice
DISPLAY: System Restore Service (Turn off system restore service)
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Desktop\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\_freescan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winsystem[2].dll
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Program Files\AV9\av2009.exe
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc11.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\winsrc.dll

[Added COM/BHO]
{037C7B8A-151A-49E6-BAED-CC05FCB50328}-C:\WINDOWS\system32\winsrc.dll

[Added egistry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

54 comments:

Anonymous said...

Nice work, good to see the breakdown like this.

Anonymous said...

Excellent description.

My father has this on his PC, how should he go about removing it?

Roger Chiu said...

According to "After executed, it has the following behaviors", use Process Explorer (www.sysinternals.com) or GMER (http://www.gmer.net/gmer.zip) to remove related files, registries, processes etc.

halojones-fan said...

I'm just a little confused, here. If I get that first faux-dialog pop-up, does that mean I already have have this virus? Or does it just mean that I'll get it if I click "OK"?

Roger Chiu said...

When you saw faux-diag pop-up, some components already have installed into your system, you can check step by step according to "after executed, it has the following behaviors".

francois said...

What's so funny about these fake antivirus products is the distinct lack of branding - who'd call their antivirus "XP 2009"? Thankfully for us they haven't bothered to use any real trademarks such as "Norton Antivirus" yet on their products....

Sinan said...

Thanks so much for this! This is exactly what I was looking for bedava chat - sohbet odaları - sohbet - islami chat - sohbet siteleri - mynet sohbet - garanti arkadaş - islami sohbet - mirc sohbet - sohbet indir - mirc script indir - bedava sohbet - - sohbet odaları - cinsel muhabbet - dini sohbet - gay sohbet - cinsel sohbet - seviyeli sohbet - porno sohbet - kameralı sohbet - cinsellik sohbet - sex chat - mirc - mirc indir - kamerali mirc - turkce mirc - sohbet siteleri - cet - Video izle - sohbet - Muhabbet - sohbet siteleri - kızlarla sohbet - - kızlarla sohbet

bedava chat said...

bedava chat sohbet odaları arkadaşlık siteleri çet chat sitesi sohbet odası chat

bedava chat said...

bedava chat sohbet odaları arkadaşlık siteleri çet chat sitesi sohbet odası chat

King Bayern Munich said...

This is a great article, supplies the useful information for me, thanks in this
pressure relief valve|forged Steel valve|butterfly valves|dustbin

Dean said...

greetings to all.
I would first like to thank the writers of this blog by sharing information, a few years ago I read a book called guanacaste costa rica in this book deal with questions like this one

King Bayern Munich said...

This is a great article, supplies the useful information for me, thanks in this
pressure relief valve|forged Steel valve|butterfly valves|dustbin

King Bayern Munich said...

We supply many styles of sofas,such as living-room-sofa, Modern leather sofa . soft sofa. Lounge-sofa .
e supply all kinds of stone product,such as china tombstones, Modern-stone-sculpture, paving-stone Glazed-Vitrified-Tiles

niz said...

Hello .. firstly I would like to send greetings to all readers. After this, I recognize the content so interesting about this article. For me personally I liked all the information. I would like to know of cases like this more often. In my personal experience I might mention a book called Generic Viagra in this book that I mentioned have very interesting topics, and also you have much to do with the main theme of this article.

Admin said...

Thanks so much for this! This is exactly what I was looking for

sohbet sohbet odaları chat odaları sohbet odası bedava chat sohbet siteleri bedava chat chat aşk sözleri sohbet odaları sohbet siteleri

tatlisohbet said...

thanks for admin
sohbet siteleri
sohbet
sohbet sitesi

authentic designer handbags said...

Totally perfect for your current life-state. Congrats on your move and I hope it is a dream!
louis vuitton boulogne | louis vuitton musette | louis vuitton tresor wallet | louis vuitton zipped purse

ali said...

Tatil için Erken Rezervasyon
Tabela için Tabela
Forum için Forum

game reviews said...

Wonderful information, I will save this and show it to my friend, she is huge fan of this. It's been a pleasure to read your post.
Hannah from SheepArcade
If you like to play games, visit sheep arcade and play poker games and much more free games.

Juan said...
This comment has been removed by the author.
Juan said...

This is a great article, supplies the useful information for me, thanks in thischat
sohbet siteleri
canlı sohbet
bedava sohbet
ahmet kaya

kadir said...

Quite funny that mainframes are making a comeback.
But when you think about it, businesses are moving more and more into the cloud, and having one large server is certainly more efficient than having to manage little computers connected together. The chat cost might be high to acquire one mainframe, but to maintain a large number of smaller servers can have significantly higher costs in terms of IT power. chat Not to mention the energy consumption.

DoqaN said...

sohbet
chat
netlog
hi5
fesbuk
fesbuk giriş

admin said...

Thank you very much

omegle chat
omegle
sevişme sahneleri

admin said...

Thanks so much for this! This is exactly what I was looking for | online film izle | wordpress | sohbet | turk reklam | google arama | canlı okey oyna | chat rulet | chat rulet | chat rulet | netlog | lise sohbet | aşk şiirleri | sevişme sahneleri | blog | chat roulette | chat roulette | almanya chat | chat | chat kanalı | sohbet | sohbet | almanya sohbet | avrupa chat | avrupa sohbet | turkchat | sevişme sahneleri

admin said...

thankss omegle | omegle | path | aşk sözleri

kadir said...

But when you think about it, businesses are moving more and more sohbet into to caloud.

Careprost said...

Nice post, I would like to request you to one more post about that Keep it up

murat said...

www.gorselbaski.com Görsel Dijital Baskı Merkezi - dijital, baskı, görsel, reklam, branda, vinil, foreks, forex, fotoblok, folyo, one way vision, fuar, stand, tual, pano, poster, cutout, rollup, mesh, floor grafik, dakota, afiş, vitrin yazı, araç yazı, etiket, tabela, matbaa, cephe giydirme, grafik, cam yazı,web tasarım, ayaklı pano, retouch, digital print, görsel reklam, dijital baskı, folyo kesim, araç kaplama, ayaklı pano, görsel baskı

temel izolasyonu said...

I need it for information, Thank you for article..
mantolama

istcafe said...

Good post,thanks for your sharing!

Sohbet
Sohbet Odaları
bedava chat
bedava sohbet

istcafe said...

Good post,thanks for your sharing!

Sohbet
Sohbet Odaları
bedava chat
bedava sohbet

Mobile Computing said...

Wow, Great post,Nice work, I would like to read your blog every day Thanks

Sohbet Odaları said...

I sent a letter to both of my senators, my representative, and my governor. I recommend that everyone who uses any type of on-line radio service do the same. If enough voices are heard things can be changed

binturlu said...

şömine mp3 bilgisayar,anakart,2.el film izle,sinema izle

Nike Mercurial Vapor Superfly said...

Ah good exciting content! Will always come to our attention. To bring you good news-works perfect! Nike Football Cleats best shoes 2011!! And Nike Mercurial Vapor Superfly.Nike soccer cleats with New nike soccer shoes or Nike mercurial soccer cleats .

tatil sehri said...

tatil sehri

Anonymous said...

lez sohbet odaları
lezsohbet
cinsel sohbet
bol sohbet
sohbet
Chat
Chat sohbet
Sohbet yap

viagra how it works said...

Great post. I think one of the basic things that we should know know is that we must always make sure that you are safe in every transactions you wanted to indulge with.

sohbet said...

a very dedicated service and can be applied anywhere you want and get better results. Excellent brief and this article helped me alot. Say thank you I looking for your information
Chat Sohbet
Chat

Caverta said...

Great information you got here. I've been reading about this topic for one week now for my papers in school and thank God I found it here in your blog. I had a great time reading this.

Sgfx Financial Limited said...

HIii.. I like your article so that I read all of your articles in a day. Please continue and keep on writing excellent posts.

Anadolu Design said...

Totally love how this came out--looks like something from an editorial. Love the feather earrings.
cam balkon
alüminyum
düğün salonu
çankırı

Avrasya Dizayn said...

Cialis Türkiye yetkilisi olup gerçek ve güvenilir tek adres http://www.cialis-hap.com . Sizde cialis
burdan alın gecelerinizi hem uzatın hem de zevkinize bakın. 24-48 veya acil gönderme durumları mevcuttur. Memnun Kalıcaksınız.

cialis

küpeşte

sineklik

IT Support North London said...

It’s a great Blog to visit because it’s like a learning experience and building the confidence up. Nice and filled with complete detail in black and white. It must be share with friends and colleagues.
IT Support North London

cinsellik sohbet said...

Very informative and trustworthy blog. Please keep updating with great posts like this one.
cinsel sohbet
I have booked marked your site and am about to email it to a few friends of mine that I know would enjoy reading
çet sohbet
Thanks for your explanation was very good effort, while health information in your hand
sohbetci

They look very nice, wonderful =)

sohbet net -
yazgülü sohbet -
seviyeli sohbet -
adana sohbet -
kerizim -
çet sohbet -
yazgülü -
sohbet et -
yonja -
cinsel chat

kaan kara said...

Harika popüler 2013 güzel sözler yollayabilirsiniz ayrıca gülmek isterseniz komik sözler bulabilirsiniz, duygusallaşmak istiyorsanızda hemen duygusal sözler'e bakabilirsiniz.

China tours said...

Thanks. I always enjoy reading your posts - they are always humorous and intelligent.I am a china tour lover,You can learn more: China tour operator | China tour packages | China city travel

mynet Sohbet said...

PayLaşım iÇin TeşekkürLer.
bedava sohbet - mynet sohbet - sohbet odalari - güzel sözler - sohbet net - cinsel sohbet - sohbetci - seviyorsun - güzel sözler fullarabeskrap - Çet Sohbet Siteleri

mynet Sohbet said...

PayLaşım iÇin TeşekkürLer.
bedava sohbet - mynet sohbet - sohbet odalari - güzel sözler - sohbet net - cinsel sohbet - sohbetci - seviyorsun - güzel sözler fullarabeskrap - Çet Sohbet Siteleri- Mynet Sohbet Sitesi

Learn Chinese said...

The best place to learn mandarin Chinese is in China. However, we understand that it isn't always possible to move here to study Chinese language. The next best thing is to study with our experienced teachers in a virtual classroom. Online students enjoy the same excellent way of mandarin Chinese online lessons and custom designed courseware that we provide for our face to face clients.

sence kaya said...



cinsel sohbet
cinsel sohbet odalari
cinsel chat
cinsel chat odalari
pasif sohbet
pasif sohbet odalari
pasif chat
pasif chat odalari
gabile chat odalari
gabile chat
gabile sohbet
sohbet
gabile sohbet odalari
sohbet odalari
chat
chat odalari
mobil chat
mobil sohbet
istanul sohbet
izmir sohbet
ankara sohbet
bursa sohbet

sence kaya said...

Sohbet Chat Sohbet odalari Chat odalari Cinsel Sohbet Gabile Sohbet Pasif Sohbet Sohbet sitesi
Chat sitesi

adem kaplan said...

thank you thank youuuuuuu
mp3 indir