fake codec x1

solcroft

太多了，捉都捉不完
网址似乎每半小时变一次

[ 本帖最后由 solcroft 于 2008-4-15 01:31 编辑 ]

91343

卡巴pass，哎都对卡巴做免杀

aerbeisi

zhelatin应该是俄罗斯人自己搞的，卡巴入库挺快的。

NOD32 2.x扫描不到。

wangjay1980

TO KL

wangjay1980

Service load:  0%        100%  

File:  MediaTubeCodec_ver1.1095.0.zip  
Status:  INFECTED/MALWARE  
MD5:  13325096da367a3ff87f068ec9af776d  
Packers detected:  -
Bit9 reports:  File not found  

Scanner results  
Scan taken on 14 Apr 2008 15:36:43 (GMT)  
A-Squared  Found nothing
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Ikarus  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found Mal/EncPk-DA  
VirusBuster  Found nothing
VBA32  Found MalwareScope.Worm.Nuwar-Glowa.1

冷冷

IK
I:\virus\样本区\MediaTubeCodec_ver1[1].1095.0.zip:\MediaTubeCodec_ver1.1095.0.exe - Suspect code-parts found (Level: 35)
I:\virus\样本区\MediaTubeCodec_ver1[1].1095.0.zip

        2 Files scanned
          (1 Archiv with 1 file)
        0 Signatures found
        1 Suspect code-part found
        Used time: 0:23.875

aerbeisi

Nuwar Shifts to Fake CodecsApril 8th, 2008

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.
By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.
They are now using a common theme used by the Zlob threat for a couple of months.
They use fake codecs to entice users into downloading and executing their malware.

The screenshot below shows that web pages are used to display advertisement of a codec (piece of software used to read certain video formats).
If a user clicks on the image or the text link, he is redirected to an executable named StormCodec.exe (detected as Nuwar.GG by ESET NOD32 Antivirus).
It is funny to note that the Storm Worm gang uses a name given by the security industry in their malware.
We also noticed that the latest scheme is not completely polished: the title of the fake codec page still reads “I love you”.



The quick pace of changes in Nuwar’s social engineering is a proof that its controllers are paying close attention to the performance of their social engineering campaigns.
When they see that a theme is not efficient, they quickly change their strategy.
We are facing a rapidly evolving adversary!

Pierre-Marc Bureau
Researcher

solcroft

想想回来，ESET不把一些启发算法加入到动手扫描器里可能是故意的
看看VT上的结果就知道了
可是这样反而导致某些高手大吹说ESET杀vundo，zlob，zhelatin，swizzor太差了，因为他们只懂得看VT

aerbeisi

昨天我运行了绅博周幸的vundo，nod无法扫描到，监控截取到了生成物bat，但三个vundo的dll无法截取，进程已被强奸。

http://kafan.cn/bbs/viewthread.php?tid=234355&extra=page%3D2

solcroft

我的拦截生成物后dll可以动手删除掉，没被插入任何进程