MEDTECS Taiwan Web Site is inserted malicious links
MEDTECS Taiwan Web Site is inserted malicious links, the malware name is Trojan.Asprox.
The home page of MEDTECS Taiwan Web Site as below:
The above home page contains malicious link as below:
The malicious scripts as below:

==The following focus on Web Reputation Service Testing==
Google Search CAN detect it  as below:
Armorize HackAlert CAN detect it as below:
McAfee SiteAdvisor CANNOT detect it as below:
Trend Micro WRS CANNOT detect it as below:
finjan URL analysis CANNOT detect it as below:
Dr.Web URL analysis CANNOT detect it  as below:
Exploit Prevention Labs's LinkScanner CANNOT detect it as below:
Symantec Safe Web CAN detect it as below:
After executed, it has the following behaviors:
[Added process]
C:\WINDOWS\system32\aspimgr.exe
[Added service]
NAME: aspimgr
DISPLAY: Microsoft ASPI Manager
FILE: C:\WINDOWS\system32\aspimgr.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\_check32.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\ws386.ini
==The following focus on AV Scanners Testing==
File script.js-malscript received on 09.11.2008 11:46:44 (CET)
Result: 4/36 (11.11%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2008.9.6.0     2008.09.11     -
AntiVir     7.8.1.28     2008.09.11     -
Authentium     5.1.0.4     2008.09.11     HTML/Iframe.A!Camelot
Avast     4.8.1195.0     2008.09.10     -
AVG     8.0.0.161     2008.09.10     -
BitDefender     7.2     2008.09.11     -
CAT-QuickHeal     9.50     2008.09.11     -
ClamAV     0.93.1     2008.09.11     -
DrWeb     4.44.0.09170     2008.09.11     -
eSafe     7.0.17.0     2008.09.10     -
eTrust-Vet     31.6.6084     2008.09.11     -
Ewido     4.0     2008.09.10     -
F-Prot     4.4.4.56     2008.09.10     -
F-Secure     8.0.14332.0     2008.09.11     HTML/Exploit!IFrame.G
Fortinet     3.113.0.0     2008.09.11     -
GData     19     2008.09.11     -
Ikarus     T3.1.1.34.0     2008.09.11     -
K7AntiVirus     7.10.450     2008.09.10     -
Kaspersky     7.0.0.125     2008.09.11     -
McAfee     5381     2008.09.10     -
Microsoft     1.3903     2008.09.11     Trojan:JS/Redirector.N
NOD32v2     3429     2008.09.09     -
Norman     5.80.02     2008.09.11     HTML/Exploit!IFrame.G
Panda     9.0.0.4     2008.09.10     -
PCTools     4.4.2.0     2008.09.10     -
Prevx1     V2     2008.09.11     -
Rising     20.61.32.00     2008.09.11     -
Sophos     4.33.0     2008.09.11     -
Sunbelt     3.1.1624.1     2008.09.11     -
Symantec     10     2008.09.11     -
TheHacker     6.3.0.9.077     2008.09.10     -
TrendMicro     8.700.0.1004     2008.09.11     -
VBA32     3.12.8.5     2008.09.10     -
ViRobot     2008.9.11.1373     2008.09.11     -
VirusBuster     4.5.11.0     2008.09.10     -
Webwasher-Gateway     6.6.2     2008.09.11     -
Additional information
File size: 167 bytes
MD5…: 4247a10cd92d62d2a42daf9ea0441996
SHA1..: 320b19ade7d54cd610b3be788f6657ac91ee0d0e
SHA256: c3efcfc683c5777e4702ab443136c8f780cd78638030851616afb460c35b6b32
SHA512: 33df9bfb9825b689195a60459aa15889902f55308a9e2d7059884de393e7e2ba
f21b1bd8915095dcfd496f3e2f782c90d521c79784734a82ff713af1ec98446d
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -
File aspimgr.exe received on 09.10.2008 18:34:58 (CET)
Result: 18/36 (50.00%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2008.9.6.0     2008.09.10     -
AntiVir     7.8.1.28     2008.09.10     -
Authentium     5.1.0.4     2008.09.10     W32/NewMalware-Rootkit-I-based!Maximus
Avast     4.8.1195.0     2008.09.10     Win32:Agent-GPS
AVG     8.0.0.161     2008.09.10     BackDoor.Small.54.I
BitDefender     7.2     2008.09.10     Backdoor.Agent.1
CAT-QuickHeal     9.50     2008.09.10     -
ClamAV     0.93.1     2008.09.10     -
DrWeb     4.44.0.09170     2008.09.10     -
eSafe     7.0.17.0     2008.09.10     -
eTrust-Vet     31.6.6082     2008.09.10     Win32/Danmec!generic
Ewido     4.0     2008.09.10     -
F-Prot     4.4.4.56     2008.09.09     W32/NewMalware-Rootkit-I-based!Maximus
F-Secure     8.0.14332.0     2008.09.10     Backdoor.Win32.Agent.rfz
Fortinet     3.112.0.0     2008.09.10     -
GData     19     2008.09.10     Backdoor.Win32.Agent.rfz
Ikarus     T3.1.1.34.0     2008.09.10     Virus.Win32.Agent.GPS
K7AntiVirus     7.10.450     2008.09.10     -
Kaspersky     7.0.0.125     2008.09.10     Backdoor.Win32.Agent.rfz
McAfee     5380     2008.09.09     Proxy-Agent.af.gen
Microsoft     1.3903     2008.09.10     Backdoor:Win32/Agent.ACG
NOD32v2     3429     2008.09.09     probably a variant of Win32/Agent.NEQ
Norman     5.80.02     2008.09.10     -
Panda     9.0.0.4     2008.09.09     -
PCTools     4.4.2.0     2008.09.10     Trojan.Damnec.Gen
Prevx1     V2     2008.09.10     -
Rising     20.61.22.00     2008.09.10     -
Sophos     4.33.0     2008.09.10     -
Sunbelt     3.1.1616.1     2008.09.09     -
Symantec     10     2008.09.10     Trojan.Asprox
TheHacker     6.3.0.9.077     2008.09.10     -
TrendMicro     8.700.0.1004     2008.09.10     Mal_Asprox
VBA32     3.12.8.5     2008.09.10     suspected of Trojan-PSW.Pinch.10 (paranoid heuristics)
ViRobot     2008.9.10.1371     2008.09.10     -
VirusBuster     4.5.11.0     2008.09.10     Trojan.Damnec.Gen
Webwasher-Gateway     6.6.2     2008.09.10     -
Additional information
File size: 86016 bytes
MD5…: 3f9f89d46a837b98cce7b111b77a4bd0
SHA1..: fd6ceeb472a85ebb63d3388eea73d817c211743d
SHA256: 1d9dac4e247a79f6395c52f88c1b4216b06115468786a0dc2fad52a0c3e0cb7d
SHA512: e63a3b6ab7b43b7fd9a8700def0a1d638a810af0bc8c47485c2114e90993b9e8
14f8f45e556b8918aae35e5f3d7c706d08ba530465b896a02afd537ba30b17ce
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×40d5a6
timedatestamp…..: 0×48c4c985 (Mon Sep 08 06:43:17 2008)
machinetype…….: 0×14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xc6e4 0xd000 6.36 0338632724a92a1815238090c4369794
.rdata 0xe000 0×66e 0×1000 2.39 063ae8b57dd1310e48bd9aa7cc45e386
.data 0xf000 0×4ee84 0×5000 5.79 5dd472b5b7732f62724237fee4f8bb23
.rsrc 0×5e000 0×408 0×1000 1.10 770474c641b722d2a41d098dbd5bb7d6
( 3 imports )
> KERNEL32.dll: lstrcpynA, lstrlenA, lstrcpyA, lstrcatA, Sleep, GetLastError, HeapFree, GetProcessHeap, HeapAlloc, GetProcAddress, LoadLibraryA, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, lstrcmpA, lstrcmpiA, FreeLibrary, GlobalFree, GlobalAlloc
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, atol, _strlwr, _itoa, strcpy, _beginthread, _endthread, sscanf, strstr, memset, atoi, memcpy, free, malloc, fclose, fwrite, fopen, strncmp, memmove, strlen, isspace, strchr
( 0 exports )

 
3 comments:
Hi Roger, Kudos for doing this testing. Do you ever re-check sites over time? As you know, some sites can go down or pages can change, and the safety services you use may modify their ratings for the sites. It would be interesting to see how things change over time. Just an idea.
Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!
Hi very gooodseviyeli sohbet
seviyeli sohbetislami sohbet sitesi
islami sohbet odalari
islami sohbet
sevecen
sohbet
sohbet odalari
mirc indir
sevecennet I follow the blog as a continuous Thank you admin.
Post a Comment