I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.
Antivirus-[a-f0-9]{3,7}_2031.exe file.
Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM
sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@ = L
Wow!! It contains an IP Address.
Malicious Domains: hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High
- File is Packed with unknown packer.
- PEiD doesn't give any packer name.
- OllyDBG throws exception while loading the file.
- Imports few APIs from KERNEL32.DLL
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765
If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!