Paczki, malware, złośliwe pliki, linki itp.

[KaMiL]

Rzeczywiście... Zaraz dam nowy link.

Dodano: 22 lip 2012, 17:53

Ok, mam:

Treść widoczna jedynie dla zarejestrowanych użytkowników

[tachion]

F4z

działa,działa
Created a mutex named: _!SHMSFTHISTORY!_
Created a mutex named: CTF.Asm.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.Compart.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.Layouts.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.LBES.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-1957994488-1078145449-1060284298-500MUTEX.DefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.TMD.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: Local\!IETld!Mutex
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created a mutex named: Local\_!MSFTHISTORY!_
Created a mutex named: Local\c:!documents and settings!administrator!cookies!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!historia!history.ie5!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!historia!history.ie5!mshist012012072220120723!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!temporary internet files!content.ie5!
Created a mutex named: Local\ZoneAttributeCacheCounterMutex
Created a mutex named: Local\ZonesCacheCounterMutex
Created a mutex named: Local\ZonesCounterMutex
Created a mutex named: Local\ZonesLockedCacheCounterMutex
Created a mutex named: MSIMGSIZECacheMutex
Created a mutex named: RasPbFile
Created file in defined folder: C:\Documents and Settings\Administrator\Cookies\administrator@gateforback[1] .txt
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\bg[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\l_pl[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\ukash[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\40MMG306\pl[1] .png
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NO3KF9ZS\arrow[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NO3KF9ZS\style[1] .css
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\btn[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\logo[1] .png
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\recet[1] .css
Created process: C:\WINDOWS\system32\ctfmon.exe,ctfmon.exe,(null)
Defined file type created: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\40MMG306\pl[1] .htm
Detected keylogger functionality
Detected process privilege elevation
Got computer name
Got user name information
Hide file from user: C:\Documents and Settings\Administrator\Cookies\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\MSHist012012072220120723\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
Internet connection: C:\Documents and Settings\Administrator\Pulpit\Ransom_EuroLocker\80c8b5d467056efbeeb9c5c8eba75e1bb0fca23b1f6c07ad9675eed4445ac982.exe Connects to "93.170.13.2" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Modified file in defined folder: C:\Documents and Settings\Administrator\Cookies\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\MSHist012012072220120723\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
Opened a service named: RASMAN
Opened a service named: Sens
Query DNS: gateforback.info
Registered a hotkey
Started a service

Tylko szkopuł tej próbki jest taki że na xpku bynajmniej nie replikuje się do innych lokalizacji tylko zostaje zawartość z sieci pobrana co widać,po restarcie system działa normalnie,a proces jest tylko chwilowy<!-- s--> <!-- s-->


kamil10506
Działajet

[Aby zobaczyć linki, zarejestruj się tutaj]

[Momik3]

Avira wykrywa Trojan MBR Lock.

[Borzuck]

Rzeczywiście... Zaraz dam nowy link.

Dodano: 22 lip 2012, 17:53

Ok, mam:

Treść widoczna jedynie dla zarejestrowanych użytkowników

Panda wykrywa po uruchomieniu ;-)

[F4z]

F4z

działa,działa
Created a mutex named: _!SHMSFTHISTORY!_
Created a mutex named: CTF.Asm.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.Compart.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.Layouts.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.LBES.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-1957994488-1078145449-1060284298-500MUTEX.DefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: CTF.TMD.MuteefaultS-1-5-21-1957994488-1078145449-1060284298-500
Created a mutex named: Local\!IETld!Mutex
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created a mutex named: Local\_!MSFTHISTORY!_
Created a mutex named: Local\c:!documents and settings!administrator!cookies!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!historia!history.ie5!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!historia!history.ie5!mshist012012072220120723!
Created a mutex named: Local\c:!documents and settings!administrator!ustawienia lokalne!temporary internet files!content.ie5!
Created a mutex named: Local\ZoneAttributeCacheCounterMutex
Created a mutex named: Local\ZonesCacheCounterMutex
Created a mutex named: Local\ZonesCounterMutex
Created a mutex named: Local\ZonesLockedCacheCounterMutex
Created a mutex named: MSIMGSIZECacheMutex
Created a mutex named: RasPbFile
Created file in defined folder: C:\Documents and Settings\Administrator\Cookies\administrator@gateforback[1] .txt
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\bg[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\l_pl[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\27POMU3G\ukash[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\40MMG306\pl[1] .png
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NO3KF9ZS\arrow[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NO3KF9ZS\style[1] .css
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\btn[1] .jpg
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\logo[1] .png
Created file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF1M03GC\recet[1] .css
Created process: C:\WINDOWS\system32\ctfmon.exe,ctfmon.exe,(null)
Defined file type created: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\40MMG306\pl[1] .htm
Detected keylogger functionality
Detected process privilege elevation
Got computer name
Got user name information
Hide file from user: C:\Documents and Settings\Administrator\Cookies\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\MSHist012012072220120723\index.dat
Hide file from user: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
Internet connection: C:\Documents and Settings\Administrator\Pulpit\Ransom_EuroLocker\80c8b5d467056efbeeb9c5c8eba75e1bb0fca23b1f6c07ad9675eed4445ac982.exe Connects to "93.170.13.2" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Modified file in defined folder: C:\Documents and Settings\Administrator\Cookies\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\MSHist012012072220120723\index.dat
Modified file in defined folder: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
Opened a service named: RASMAN
Opened a service named: Sens
Query DNS: gateforback.info
Registered a hotkey
Started a service

Tylko szkopuł tej próbki jest taki że na xpku bynajmniej nie replikuje się do innych lokalizacji tylko zostaje zawartość z sieci pobrana co widać,po restarcie system działa normalnie,a proces jest tylko chwilowy<!-- s--> <!-- s-->

Wielkie dzięki Tachion za odpowiedź , a mógłbyś mi jeszcze powiedzieć jakim programem wykonałeś raport działania tego EuroLockera?

[ananael]

Wygląda na log z plugina do Sandboxie - Buster Sandbox Analyzer (

[Aby zobaczyć linki, zarejestruj się tutaj]

)

[Flash999]

MBR Lock:
TrustPort nie wykrywa.

[zord]

Paczka 311 malware 2012-07-21 by tommy:

Treść widoczna jedynie dla zarejestrowanych użytkowników

ByteHero 107/311 34,40%

[A_B_C]

ByteHero 107/311 34,40%

Dobry wynik biorąc pod uwagę że ten program korzysta tylko z heurystyki.

Panda Global Protection 2013302/311 97.10%

[KaMiL]

Raport Anubisa:

[Aby zobaczyć linki, zarejestruj się tutaj]

[A_B_C]

MBAM291/311 93.56%

[rafikrafiki]

Rzeczywiście... Zaraz dam nowy link.

Dodano: 22 lip 2012, 17:53

Ok, mam:

Treść widoczna jedynie dla zarejestrowanych użytkowników

[Aby zobaczyć linki, zarejestruj się tutaj]

[Adi Cherryson]

Ransom EuroLocker by Waves97

[Aby zobaczyć linki, zarejestruj się tutaj]

Trojan MBR Lock by kamil10506

[Aby zobaczyć linki, zarejestruj się tutaj]

Ashampoo AM wykrywa.

Kamil- mała prośba, używaj tego naszego standardowego hasła. Już chyba wszyscy się do niego przyzwyczaili.

[tomatto007]

62 Malware - VT - 100%

Treść widoczna jedynie dla zarejestrowanych użytkowników

[Galactico]

62 Malware - VT - 100%

Treść widoczna jedynie dla zarejestrowanych użytkowników

AVG IS 2012
40/62 (64,52%)

[tomatto007]

Malware info:
SHA256: 4055f66b00029901a2c4d135c126185bbabf7393e06e24b4fbc183cfce4406ec
SHA1: 2c34c4c3ee37493af7e130023c69dbc6829b0cff
MD5: 3fa712fa1f5fd57eeceaadfe61e4caa9
File size: 708096 bytes

VT info (29/42):

[Aby zobaczyć linki, zarejestruj się tutaj]

Changes in the system:

1. Registry Key:
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wmpnetk: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wmpnet32.exe"
   
   Files:
   C:\Documents and Settings\Administrator\Local Settings\Temp\fp.txt
   C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
   C:\Documents and Settings\Administrator\Local Settings\Temp\wmpnet32.exe

Treść widoczna jedynie dla zarejestrowanych użytkowników

[Bergo]

Avira AVP
51/62 (82.25%)

GDATA IS 2013
52/62 (83,87%)

[myciu1974]

Emsi AM 46/62 (74,19%)
HitmanPro 61/62 (98,38%)
MBAM 51/62 (82,25%)

[Miquell]

WEBROOT : 38/62 61%

[Waves]

[Aby zobaczyć linki, zarejestruj się tutaj]

This files from Tomato''s package are Adware . Specifically Toggle Toolbar . It''s not malware