Title: Malware and Spam emails : (Suspicious sign in prevented) Post by: escrow.ms on March 30, 2014, 10:14:23 PM I got a mail same as other members as you can see here (https://bitcointalk.org/index.php?topic=548777.msg5973960#msg5973960) it looks like a simple phishing mail with title "Suspicious sign in prevented" but it's more than that.
Email is probably being sent via a php mailer from a hacked server (wohnmobileunited.de) https://i.imgur.com/pdOmbWg.png If you move your mouse on button you will see a shortlink, I copied that link and it redirected me to phishing cum landing page that gives warning about outdated firefox and tries to install a xpi file by running it https://i.imgur.com/9AZh9bh.png XPI file is hosted on dropbox. Now I tried to download that addon, renamed .xpi to .zip and exported it's content. https://i.imgur.com/4zoskKk.png Voila.. There's a exe in it, which is a custom bot cum password stealer that downloads more files on your pc automatically. But how it's getting executed? Answer is in javascript file. https://i.imgur.com/JwNikQL.png It connects to a domain and some servers. zuzuri.x64.me 79.172.242.88 X64.me is a free dns domain https://www.dnsdynamic.org Virus scan report. (Most antiviruses are unable to detect as it's Crypted. https://www.virustotal.com/en/file/02293d8b45e69f4dc0d69eb85553c5b6f97c47789689bc03bc0af729f4b25e0d/analysis/1396215000/ You can see full analysis here. https://malwr.com/analysis/MjZhN2ExYzQ2MzBmNGI5ZDhiNjExNzM4NTQ1MGM1YjA/ Now when you try to find more info about that zazuri.x64.me domain, you will get scan links of other malwares that includes .scr file and a pdf (pdf exploit) ttps://malwr.com/analysis/MDIyZGFkNGNmMGM4NGFhZmFjMGM1OTdiMTY3YmJkNGM/ http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AGU/detailed-analysis.aspx Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: E.exchanger on March 30, 2014, 10:45:54 PM Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not ???
Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: escrow.ms on March 30, 2014, 10:56:20 PM Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not ??? Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (http://www.comodo.com/business-security/network-protection/cleaning_essentials.php)Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: E.exchanger on March 30, 2014, 11:03:57 PM Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not ??? Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (there is a process checker on comodo.com)Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: jodybay on March 31, 2014, 05:27:01 PM same thing happened to me last march 21,2014
google and yahoo pop up the same message at the same time http://i62.tinypic.com/339p151.jpg Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: platorin on May 31, 2014, 07:03:11 PM Never open messages like that one nor download anything that is asked there.
Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: Xelpherpolis on May 31, 2014, 07:38:28 PM Ahh very clever little beast that is. Thanks for putting the effort into finding this out and posting it :)
Title: Re: Malware and Spam emails : (Suspicious sign in prevented) Post by: acs267 on May 31, 2014, 09:25:03 PM Thanks for posting this. Do you have any idea how that got your E-Mail? Hopefully, I didn't get one.
|