Jump to content

Malwarebytes

26.10.2009

Started by Dashke, Oct 26 2009 02:38 PM

1 reply to this topic

#1
Dashke
Posted 26 October 2009 - 02:38 PM

    True Member

  • Malware Hunters
  • PipPipPipPip
  • 278 posts
  • Gender:Male
  • Location:Belgrade 
http://xia3432.3322.org/yoyo1347_exe.exe
http://xia3432.3322.org/zj.exe

http://www.softveteran.com/softveteran.php?p=KgxIsX%2Bu47GPpy2%2FeDVuvtrvNfmWgN%2F%2BuPNWYwObYhE%3D
http://www.softveteran.com/softveteran.php?d1=KgxIsX%2Bu47GPpy2%2FeDVuvtrvNfmWgN%2F%2BuPNWYwObYhE%3D

http://www.tabside.com/isnap/isnap.exe
http://www.tabside.com/isnap/pFileExecute.dll
http://www.tabside.com/isnap/isnap.sys
http://www.tabside.com/isnap/tabcheck.exe

http://lllnnn.net/ww/aa8.exe
http://lllnnn.net/ww/aa9.exe
http://lllnnn.net/ww/aa10.exe
http://lllnnn.net/ww/aa11.exe
http://lllnnn.net/ww/aa1.exe
http://lllnnn.net/ww/aa2.exe
http://lllnnn.net/ww/aa3.exe
http://lllnnn.net/ww/aa4.exe
http://lllnnn.net/ww/aa5.exe
http://lllnnn.net/ww/aa6.exe
http://lllnnn.net/ww/aa7.exe
http://loveyou.wwooaini88.com/88.txt

http://fut763jrs4l.com/zed1/table.bin
http://gld111b.ws/bb/vtorpnt.exe

http://www.shieldsafeness.com/shieldsafeness.php?p=sfxl4WzMmHb5cPLz%2FFtv7wjFnXIkfCmKM2%2BS7eIsnt0%3D

http://58.51.90.219:8080/sports/image.jpg

http://a.update.51edm.net/20090925/01.kdg?md5=e7c33dbfff494975512ad98b229e11ec
http://a.update.51edm.net/YiqilaiLyrics1.5.1.exe?md5=2b2d5a9fe9a80d25c2dd6d278ce25121

Dr.Web® Antivirus for DOS/386 v5.0 -

Quote

C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg - archive NSIS
>C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg\data001 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg\data002 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg\data003 is adware program Adware.Cinmus.2541
>C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg\data004 - OK
C:\DOCUME~1\Dashke\Desktop\Infected\01.kdg - archive contains infected objects
C:\DOCUME~1\Dashke\Desktop\Infected\aa1.exe infected with Trojan.PWS.Wsgame.13178
C:\DOCUME~1\Dashke\Desktop\Infected\aa1.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa10.exe infected with Trojan.PWS.Wsgame.13093
C:\DOCUME~1\Dashke\Desktop\Infected\aa10.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa11.exe infected with Trojan.PWS.Wsgame.12059
C:\DOCUME~1\Dashke\Desktop\Infected\aa11.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa2.exe infected with Trojan.PWS.Wsgame.13128
C:\DOCUME~1\Dashke\Desktop\Infected\aa2.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa3.exe infected with Trojan.PWS.Wsgame.12116
C:\DOCUME~1\Dashke\Desktop\Infected\aa3.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa4.exe infected with Trojan.PWS.Wsgame.12654
C:\DOCUME~1\Dashke\Desktop\Infected\aa4.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa5.exe infected with Trojan.PWS.Wsgame.13093
C:\DOCUME~1\Dashke\Desktop\Infected\aa5.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa6.exe infected with Trojan.PWS.Wsgame.12116
C:\DOCUME~1\Dashke\Desktop\Infected\aa6.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa7.exe infected with Trojan.PWS.Wsgame.13093
C:\DOCUME~1\Dashke\Desktop\Infected\aa7.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa8.exe infected with Trojan.PWS.Wsgame.13097
C:\DOCUME~1\Dashke\Desktop\Infected\aa8.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\aa9.exe infected with Trojan.PWS.Wsgame.13092
C:\DOCUME~1\Dashke\Desktop\Infected\aa9.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\isnap.exe probably infected with DLOADER.Trojan
C:\DOCUME~1\Dashke\Desktop\Infected\isnap.exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\setup[1].exe infected with Trojan.Fakealert.5242
C:\DOCUME~1\Dashke\Desktop\Infected\setup[1].exe - deleted!
C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe - archive NSIS
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data001 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data002 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data003 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data004 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data005 is adware program Adware.Yiqilai
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data006 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data007 is adware program Adware.Yiqilai
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data008 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data009 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data010 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data011 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data012 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data013 is adware program Adware.Yiqilai
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data014 - archive BINARYRES
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data014\data001 - OK
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data014\data002 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data014 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data015 is adware program Adware.Yiqilai
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data016 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017 - archive NSIS
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017\data001 - OK
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017\data002 - OK
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017\data003 - OK
>>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017\data004 - OK
>C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe\data017 - OK
C:\DOCUME~1\Dashke\Desktop\Infected\YiqilaiLyrics1.5.1.exe - archive contains infected objects

Password for my uploads is virus.

#2
Fatdcuk
Posted 26 October 2009 - 04:20 PM

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 16,155 posts
  • Gender:Male
  • Location:127.0.0.1
Many thanks Dashke,

Have now added the URL's for harvesting :)

Timesaver ate 3 of them,88.txt is a source URL list for mass downloader>>>

http://ok.qvodiii.com/ww/aa1.exe
http://ok.qvodiii.com/ww/aa2.exe
http://ok.qvodiii.com/ww/aa3.exe
http://ok.qvodiii.com/ww/aa4.exe
http://ok.qvodiii.com/ww/aa5.exe
http://ok.qvodiii.com/ww/aa6.exe
http://ok.qvodiii.com/ww/aa7.exe
http://ok.qvodiii.com/ww/aa8.exe
http://ok.qvodiii.com/ww/aa9.exe
http://ok.qvodiii.com/ww/aa10.exe
http://ok.qvodiii.com/ww/aa11.exe
http://ok.qvodiii.com/ww/aa12.exe
http://ok.qvodiii.com/ww/aa13.exe
http://ok.qvodiii.com/ww/aa14.exe
http://ok.qvodiii.com/ww/aa15.exe
http://ok.qvodiii.com/ww/aa16.exe
http://ok.qvodiii.com/ww/aa17.exe
http://ok.qvodiii.com/ww/aa18.exe
http://ok.qvodiii.com/ww/aa19.exe
http://ok.qvodiii.com/ww/aa20.exe
http://ok.qvodiii.com/ww/aa21.exe
http://ok.qvodiii.com/ww/aa22.exe
http://ok.qvodiii.com/ww/aa23.exe
http://ok.qvodiii.com/ww/aa24.exe
http://ok.qvodiii.com/ww/aa25.exe
http://ok.qvodiii.com/ww/aa26.exe
http://ok.qvodiii.com/ww/aa27.exe
http://ok.qvodiii.com/ww/aa28.exe
http://ok.qvodiii.com/ww/aa29.exe
http://ok.qvodiii.com/ww/aa30.exe
http://ok.qvodiii.com/ww/aa31.exe
http://ok.qvodiii.com/ww/aa32.exe
http://ok.qvodiii.com/ww/aa33.exe
http://ok.qvodiii.com/ww/qq.exe

Pleased to say we gave the Doctor a run for its money.

Malwarebytes' Anti-Malware 1.41
Database version: 3036
Windows 5.1.2600 Service Pack 2

26/10/2009 16:17:12
mbam-log-2009-10-26 (16-17-12).txt

Scan type: Quick Scan
Objects scanned: 23
Time elapsed: 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\01.kdg (Adware.Cinmus) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa1.exe (Trojan.GamesThief) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa10.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa11.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa3.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa4.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa5.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa6.exe (Trojan.GamesThief) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa7.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa8.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\aa9.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\image.jpg (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\setup (2).exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\setup (3).exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\YiqilaiLyrics1.5.1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\yoyo1347_exe.exe (Trojan.Cinmus) -> Quarantined and deleted successfully.
c:\documents and settings\0wn3r\my documents\malware samples\RogueNET\zj.exe (Malware.Packer) -> Quarantined and deleted successfully.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us