Category: Malware Analysis

Trojan-Dropper.Win32.Ambler

Recently a user has submitted a suspicious file, he informed us that he downloaded the files from a website that has served the file as a video codec. Below there is the report of the virus scaner: Report Generated: 18.3.2009 at 16.34.15 (GMT 1) File Name: setup_exe File Size: 63 KB MD5 Hash: A11E0E5389C93738D793E850C8AAA1C1 SHA...
Continue reading...

Rustock is back again more active than ever!

Recently Steve received some new .EXE files classified as Rootkit.Rustock and we have analyzed one file to see if the beast Rustock is still active. The bad thing is that the results of this analysis reveal that the spam activity of Rustock is yet highly active… During the analysis we noticed that the malware used [&hellip...
Continue reading...

LuckySploit – New exploit kit

In the last few days a user submitted a new sample of an exploit kit called LuckySploit. This new exploit kit (similar to EL.FIESTA Exploit Kit) is a set of .HTML files, used for spreading the malware with the method of Drive-by-Download, that are full of malicious JavaScript obfuscated (evil) code. A small part of […]
Continue reading...

Virus.Win32.Virut.q (analysis and removal instructions)

Recently an user sent to us a suspicious file that, from what he said us, it was downloaded from a website that needed a video codec to play a flash movie and the video codec was hosted in the same website. The file name of the malicious executable is video_plugin.exe and when the file is […]
Continue reading...

PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat

We have recently received an email that contains a ZIP archive named: PROHIBITED_MATRIMONY.rar The subject of the email is: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED The file extracted from PROHIBITED_MATRIMONY.rar is named Readme.doc.exe and note that it has the double extension to trick the user to think that it is a norm...
Continue reading...

Christmas Postcard Spam and Trojan.Win32.Waledac

Steve sent me a sample of malware classified as Trojan.Win32.Waledac that he has received in some Christmas Postcard Spam emails with following subjects: Merry Christmas and best wishes just for you Merry Christmas 2009! A super Xmas card for you Merry XXXmas! You’ve got a Merry Christmas greeting e-card I made this e-card...
Continue reading...

Fake Codec that install Zlob Trojan

We have found another website that tricks users into downloading a fake codec that will really install the Zlob Trojan. The common phrase used to trick the user into downloading the codec is always the same: Hey Download this Codec that is needed to play the video. If you click on one of the 3 […]
Continue reading...

Rustock Rootkit Variants and TDSServ Kit

Analysis Content: Rustock Rootkit Variants and TDSServ Kit Released: 21.12.2008 Author of Analysis: Robert (robert@novirusthanks.org) Sample submitted by: Steve (steve@novirusthanks.org) Thanks to: Fyyre (www.fyyre.net) Website: http://www.novirusthanks.org Today we will analyze another rustock rootkit variant and the famous TDS...
Continue reading...

Fake Flash Player and Trojan DNSChanger.gen

Steve has found a very interesting sample in the wild that looks like a fake flash player that installs the DNSChanger trojan in the victim’s computer. The malicious file is named FlashPlayer.v..exe: Report Generated 10.12.2008 at 16.48.20 (GMT 1) Filename: FlashPlayer.v..exe File size: 78 KB MD5 Hash: D2EBDAB38246882A8A39...
Continue reading...

EL.FIESTA Exploit Kit

This time Steve has found another website that is distributing malware through exploits and it seems like a new exploit kit named EL.FIESTA that shows to the attackers various basic statistics of the exploitation status. It seems that this exploit kit utilizes PHP and SQL as most exploit kits and from the image we can […]
Continue reading...