Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Another fake AV attempt linked to "Day 360 is coming"

1 view
Skip to first unread message

Virus Guy

unread,
Dec 26, 2009, 11:09:25 AM12/26/09
to
I came across this while doing more searches for "Day 360 is coming":

setup_build7_292.exe

hxxp://www. brueserberg.de/?bru=day-360-is-coming

The actual full URL for that file seems to be coded, and I believe the
code has a timing component to it that renders the URL invalid after
some period of time. For example, the first time I got that file, the
URL was this:

-----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa

W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D
----------------

After a few minutes, that URL became non-operative.

The last line is separated for comparison to the next time I tried it:

----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa

m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D
-----------------

Note that the first 3 lines are the same, and so is a large section of
the 4'th line. But the first and last 5 characters of the 4'th line are
different. The .exe files are identical.

VirusTotal is coming back with 4 hits:

CAT-QuickHeal (Suspicious) - DNAScan
Comodo Heur.Suspicious
Sophos Mal/FakeAV-CD
Sunbelt Trojan.Win32.Generic!SB.0

The file seems to be an executable, but when Firefox offered it to me
and asked what I wanted to do with it, Firefox thought it was an Adobe
PDF file (?)

BTW, does anyone have an example of the latest PDF exploit?
merry_christmas.pdf ?

FromTheRafters

unread,
Dec 27, 2009, 5:03:47 PM12/27/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B363535...@Guy.com...

That's just a filename, the same as annonce.pdf.


FromTheRafters

unread,
Dec 27, 2009, 5:13:06 PM12/27/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B363535...@Guy.com...

> BTW, does anyone have an example of the latest PDF exploit?
> merry_christmas.pdf ?

If it is this one?

http://contagiodump.blogspot.com/2009/12/this-message-shows-that-adobe-zero-day.html


0 new messages