setup_build7_292.exe
hxxp://www. brueserberg.de/?bru=day-360-is-coming
The actual full URL for that file seems to be coded, and I believe the
code has a timing component to it that renders the URL invalid after
some period of time. For example, the first time I got that file, the
URL was this:
-----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa
W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D
----------------
After a few minutes, that URL became non-operative.
The last line is separated for comparison to the next time I tried it:
----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa
m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D
-----------------
Note that the first 3 lines are the same, and so is a large section of
the 4'th line. But the first and last 5 characters of the 4'th line are
different. The .exe files are identical.
VirusTotal is coming back with 4 hits:
CAT-QuickHeal (Suspicious) - DNAScan
Comodo Heur.Suspicious
Sophos Mal/FakeAV-CD
Sunbelt Trojan.Win32.Generic!SB.0
The file seems to be an executable, but when Firefox offered it to me
and asked what I wanted to do with it, Firefox thought it was an Adobe
PDF file (?)
BTW, does anyone have an example of the latest PDF exploit?
merry_christmas.pdf ?
That's just a filename, the same as annonce.pdf.
> BTW, does anyone have an example of the latest PDF exploit?
> merry_christmas.pdf ?
If it is this one?
http://contagiodump.blogspot.com/2009/12/this-message-shows-that-adobe-zero-day.html