As of 8:44 pm EST Sunday night - fileden is serving up some malware

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

If you go to fileden.com right now, the site will try to push a browser
add-on at you, as well as the file "manual.pdf".

I uploaded it to VT, where it's being detected only by Avast5 and Gdata
as JS:Pdfka-gen.
 
Virus said:
If you go to fileden.com right now, the site will try to push a
browser add-on at you, as well as the file "manual.pdf".

I uploaded it to VT, where it's being detected only by Avast5
and Gdata as JS:Pdfka-gen.
Click to expand...

Here is a direct link for that file:

hxxp://z3co.co.cc/games/pdf.php?f=17
 
From: "Virus Guy" <[email protected]>

| If you go to fileden.com right now, the site will try to push a browser
| add-on at you, as well as the file "manual.pdf".

| I uploaded it to VT, where it's being detected only by Avast5 and Gdata
| as JS:Pdfka-gen.

fileden.com isn't doing anything for me.
 
David H. Lipman said:
From: "Virus Guy" <[email protected]>

| If you go to fileden.com right now, the site will try to push
| a browser add-on at you, as well as the file "manual.pdf".

fileden.com isn't doing anything for me.
Click to expand...

Yea, I just checked (11:45 pm) and it's clean now.

But the file is still available from here:

z3co.co.cc/games/pdf.php?f=17
 
Ant said:
Five PDF exploits:

Collab.collectEmailInfo
Collab.getIcon
media.newPlayer
util.printd
util.printf

Shellcode downloads (URLDownloadToCacheFileA) and runs whatever
executable this points to:
z3co.co.cc/k.php?f=17&e=3

which was 0 bytes when I tried, and the filename used to save it
was invalid (not manual.pdf).
Click to expand...

manual.pdf is the name you get from the link above - which is the same
even if you drop the "=17" part.
Maybe it's geo-sensitive or just broken.
Click to expand...

I also get a 0 length file from z3co.co.cc/k.php?f=17&e=3.
 
Back
Top