10 replies to this topic

[centralkong]

Hi to all,
Today I was spammed by some WLM contacts with urls pointing to:

• youtube(dot)nl(dot)am
  
• axiomsolution(dot)com

And there was another one which I can't remember the name, it was something like myhdd(dot)info. (I'll surely get the link today).

If there's something you can do to block these domains via the IP Protection, I'd be .

Feel free to contact me if you need any info.

Cheers!

[MysteryFCM]

There's also a fake YouTube site at;

microsoft.uk.to
bigmack.opendns.be

Which are on the same IP as youtube.nl.am

http://hosts-file.ne...microsoft.uk.to

[centralkong]

It's already blocked, isn't it? Now that I think, that site tried to install a Java app via Chrome... Luckily Java warned me and I didn't choose "Allow"

About the third site, it is hxxp://dl323.myfilehd.info:83/user496/cache/get.php?view=DVC-IMAGEN008.JPG (straight from the WLM chat window)

[Jaxryley]

hxxp://dl323.myfilehd.info:83/user496/cache/get.php?view=DVC-IMAGEN008.JPG

Downloads a "DVC-IMAGEN008.JPG_www.myfilehd.com"
No hits at jottis
File size: 88064 bytes
-----------------------------------------------------------------------------
Runs as a "avscpa.exe" and changes quite a few reg settings.
I would hazard a guess and say it's malware?

http://rapidshare.de/files/48325902/DVC-IMAGEN008.JPG.zip.html

[Malcontent]

One hit on virustotal:

http://www.virustotal.com/analisis/ab87d05...a4ec-1252715504

[centralkong]

Jaxryley, please throw the files to ThreatExpert (http://www.threatexpert.com/) and bring back the reports here.

(I'd like to know what these nasties do, and it'll help MBAM developers )

[MysteryFCM]

TE report

Attached Files

•  report.zip   7.98K   6 downloads

[Fatdcuk]

Thanks Centralkong for the report and thanks Jax have added the URL for harvesting now

Will look at the install shortly

[centralkong]

@MysteryFCM: Strange... Just a created process? And that's all? It's odd...
@Fatcduk: You're welcome

[Fatdcuk]

No not strange that it dose'nt perform for TE, it knows to exit process if its running in sandbox test enviroment and hence no install report.

[MysteryFCM]

It's likely sandbox/VM aware .....