Located a Conficker Site

[K.M.Kirby]

A couple days ago, I happened upon a conficker download, with its
followup "antivirus" download, while using a public terminal at a
library. I shut down the browser during both events, so perhaps the
install didn't get through.

Here is what the URL looks like from google:

LANE LAWLESSTracy - Tracy Baptist Church Lane Lawless 11000 W Clover
Rd Tracy CA 95376 2003/ 01/07. Trona - First Baptist Church Larry Cox
84661 Trona Rd Trona CA 93562 ...

http://www.esa.ipb.pt/modelo2.php?lane-lawless/


The .pt means a Portuguese location, and the search terms are "tracy
lane lawless"--can somebody report whether this site still actively
uploads the virus?

 

[ASCII]

A couple days ago, I happened upon a conficker download, with its
followup "antivirus" download, while using a public terminal at a
library. I shut down the browser during both events, so perhaps the
install didn't get through.

Here is what the URL looks like from google:

LANE LAWLESSTracy - Tracy Baptist Church Lane Lawless 11000 W Clover
Rd Tracy CA 95376 2003/ 01/07. Trona - First Baptist Church Larry Cox
84661 Trona Rd Trona CA 93562 ...

http://www.esa.ipb.pt/modelo2.php?lane-lawless/


The .pt means a Portuguese location, and the search terms are "tracy
lane lawless"--can somebody report whether this site still actively
uploads the virus?

I get:
[A página solicitada não está disponível]
which as best as I can translate indicates:
[the page you're wanting is no longer available]

As far as the search for the killer of Sandra Cantu goes,
there was a press conference scheduled but it has been canceled

 

[Virus Guy]

hxxp://www.esa.ipb.pt/modelo2.php?lane-lawless/

If I follow that link and close the handful of popup windows it spawns,
it eventually gets to the point where it wants me to download the file
vsm_free_setup.exe.

So I downloaded it, and submitted it to Virus Total.

VT had seen it before (March 28) but I had it scan it again. Here's the
results:

http://www.virustotal.com/analisis/a731eb8dbbfa577489da42f10a719aad

It's not conficker - it's part of the same family of malware that's been
heavily spamvertized on usenet during the past week or two. The scam
involves a fake virus-scan followed by the desire to have you download
and run the malware. I've got 1/2 dozen samples (usually named
setup.exe or install.exe) usually with the microsoft security shield for
an icon (or a varient look-alike). The size of my previous samples are
77 kb and 134 kb. This one is significantly larger (1.4 mb) and is
detected by a lot more AV packages (31/40) compared to the smaller ones
(5 to 10 / 40).

There were 3 other files in my browser cache (20k - 30k) two which
looked like binary junk that I also submitted to VT, where 2 were
identified as gzip'd but nothing beyond that (no hits). The third was
an xlm file list of various bbc.co.uk URL's.

 

[Virus Guy]

IF you want a more direct way to experience this malware push, try this:

hxxp://promotion-offer.com/vsm/adv/142/?a=csptop-sst&l=371&f=cs_2037721714&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM

You'll get a blank web page with this popup dialog:

---------
Warning!!! Your computer contains various signs of viruses and malware
programs presence.

Your system requries immediate anti viruses check! VirusRemover2009
will perfom a quick and free scanning of your PC for viruses and
malicious programs.

OK Cancel
----------

So close that window.

The blank page now renders itself with what looks like a generic
antivirus app. Note that the window extends down to the bottom of your
screen, covering your taskbar.

It will throw up some cute graphics indicating that it is scanning files
and finding various worms, trojans, etc. 527 threats found! When it's
finished, it will throw up another window:

------------
The page at hxxp://promotion-offer.com says:
-----------
Your computer remains infected by viruses! They can cause data loss and
file dammages and need to be cured as soon as possible.

Return to VirusRemover 2009 and download it secure to your PC
-----------

Again, close the window. Another window opens (Windows Security
Alert). Again, close it. It doesn't go away, but another window opens
in front of it:

------------
The page at hxxp://promotion-offer.com says:
-----------
Don't close this window if you want you PC to be clean.
------------

Again, close it. Another window opens:

------------
The page at hxxp://promotion-offer.com says:
-----------
Harmful and malicious software detected. These programs may damage your
computer and steal your private information. Online Security Scanner
requires VirusVemover2009 components to repair your computer. Please
click OK to download and install VirusRemover2009 components.
-----------

Again, close the window. Now we get the generic file-download window:

---------
Opening vsm_free_setup.exe
---------
You have chosen to open vsm_free_setup.exe
which is a: Application
from: hxxp://dwnld.promotion-offer.com

Would you like to save this file?

Save file Cancel
----------

So at this point you can either save the file, or close the window. If
you also close the main window behind it, you'll get another popup
asking if you want to bookmark the page.

Again, I don't think this is conficker.

 

[Virus Guy]

Virusremover2009 installer ?

Yes.

Behing hosted or fronted by

- bonuspromooffer.com
- dwnld.promotion-offer.com
- promotion-offer.com

88.198.233.225 (for the moment anyways)

Hetzner Online AG RZ-Nuernberg

 

[Virus Guy]

The malware being pushed by the usenet posts that point to find-365.com
are continuing. Today they worm their way to:

hxxp://ms-antiviral-scan-av.com/200073/scan/

and eventually try to get you to download setup.exe from
files.load-ms-av-soft.com.

It seems to use the exact same front-end web-code as VirusRemover2009 to
simulate a malware scan (that I detailed a few posts ago), but the
payload is of the size that I reported on earlier (88 kb).

I just sent a sample file to VT. VT hadn't seen this file before, and
just like the others of this type it's being flagged by a very small
percentage of AV packages (4/39).

http://www.virustotal.com/analisis/c3fcd74d7eb8c1c90b4b700b686ab6b3

It's being called MSAntispyware 2009 by Sunbelt.

Why isin't there more know about these files? Why is AV detection rates
so poor?

From Yahoo answers:

---------
MS Antispyware 2009 (MSAntispyware2009, MSAntispyware 2009) is currently
one of the most recent threats on the web. MS Antispyware 2009 is the
descendant of Pro Antispyware 2009, ProAntispyware2009 rogue
anti-spyware, which must have proven to be its fraudulent creator's
failure, due to this enormously unsuccessful word combination literally
implying "software that generates viruses".

 

[Virus Guy]

As I said, don't blink, it will change.

Yea, but as I said:

1) why is there no info available on what exactly these things do?

2) why is the AV detection rate pathetic?

 

[Virus Guy]

Dave-UK full-quoted:

When the Setup.exe is run with Vista then Windows Defender
kicks in with a warning message.
It identifies the threat as: TrojanDownloader:Win32/Renos.HL
Windows 7 ( with IE 8 ) puts up a warning message even before
the download starts.

Then why does the Microsoft AV program on Virus Total show nothing?

Microsoft 1.4502 2009.04.11 (no threat)

???

What exactly is the Microsoft app that is being run at Virus total? If
it's not Microsoft Windows Defender, then what is it?

What is Microsoft 1.4502 ?

Dave?

 

[1PW]

The malware being pushed by the usenet posts that point to find-365.com
are continuing. Today they worm their way to:

hxxp://ms-antiviral-scan-av.com/200073/scan/

and eventually try to get you to download setup.exe from
files.load-ms-av-soft.com.

It seems to use the exact same front-end web-code as VirusRemover2009 to
simulate a malware scan (that I detailed a few posts ago), but the
payload is of the size that I reported on earlier (88 kb).

I just sent a sample file to VT. VT hadn't seen this file before, and
just like the others of this type it's being flagged by a very small
percentage of AV packages (4/39).

http://www.virustotal.com/analisis/c3fcd74d7eb8c1c90b4b700b686ab6b3

It's being called MSAntispyware 2009 by Sunbelt.

Why isin't there more know about these files? Why is AV detection rates
so poor?
out and seek and install on a system.

Hello VG:

I wasn't sure if you did, so I sent the setup.exe file to about five of
the big name AV vendors. It might be an act of futility. We'll see.

I also made reference to the IP name/address of the Ukraine web site
where it came from.

HTH

Pete

 

[K.M.Kirby]

Yea, but as I said:

1) why is there no info available on what exactly these things do?

2) why is the AV detection rate pathetic?

Eventually, at a certain time & day, could it morph into something
related to getting financial info?

 

[1PW]

Yea, but as I said:

1) why is there no info available on what exactly these things do?

2) why is the AV detection rate pathetic?

At the risk of oversimplification, I believe if it hasn't been submitted
to the AV folk, then they won't know about it.

Pete

 

[Virus Guy]

| 1) why is there no info available on what exactly these things do?

You KNOW what these rogues do. Why are you asking ?

I'm asking why we're not seeing anyone dissect and take these files
apart and detail their internal functionality the way they did with
conficker and other malware.

Until someone does that, all we're doing is speculating that those files
do nasty things. I agree that the odds are close to 100% that they do
do nasty things - I'm just curious as to what *exactly* they do, and why
is it so hard to perform heuristics on them.

 

[FromTheRafters]

[...]

On this newsgroup (alt.comp.virus) there is a recent example, a post
'Asian Beauty' .
That sends you to:
hxxp://ms-antiviral-scan-av.com/200073/scan/
which sends you to:
files.load-ms-av-soft.com.
where you can download the setup.exe file.

The setup.exe is just an installer so it probably won't trigger a
virus alert. At least
when I scanned it with MalwareBytes nothing was reported. I don't use
antivirus
software so I can't scan with any.

Lucky for you it isn't a virus then, eh?

....or maybe you are running a test machine...?

I am just saying that using Vista I could download no problem but when
I ran setup.exe
Windows Defender put up a warning box about
TrojanDownloader:Win32/Renos.HL.

Lucky for you WD could recognize it for what it is...etc.

The software eventually loaded is called Ms Antispyware 2009 from
CrucialSoft Ltd.

What are the security implications of having installed the rogue
application?

Using Windows 7, which has Internet Explorer 8, a warning box appeared
before the download
saying that the file came from a website which contained
viruses/malware and advised against
proceeding with the download.

That's cool, I think they're headed in the right direction.

 

[FromTheRafters]

I'm asking why we're not seeing anyone dissect and take these files
apart and detail their internal functionality the way they did with
conficker and other malware.

Until someone does that, all we're doing is speculating that those
files
do nasty things. I agree that the odds are close to 100% that they do
do nasty things - I'm just curious as to what *exactly* they do, and
why
is it so hard to perform heuristics on them.

To me, it is more about the method they use to get you to run their
software (foistware) than it is about what their software does when
installed (which is more than likely something unwanted). Even if it is
just serving up advertisements, I wouldn't want it on my machine. Should
AV programs detect adware? I'm one of those that thinks they should
not - but that's just me.

 

[1PW]

I don't know what Virus Total is, nor what Microsoft 1.4502 is.
The setup.exe I am talking about is the program offered after a fake
virus scan
from websites described in your post.

On this newsgroup (alt.comp.virus) there is a recent example, a post
'Asian Beauty' .
That sends you to:
hxxp://ms-antiviral-scan-av.com/200073/scan/
which sends you to:
files.load-ms-av-soft.com.
where you can download the setup.exe file.

The setup.exe is just an installer so it probably won't trigger a virus
alert.

virustotal.com now shows 9/40. I have been submitting the 88,075 byte
setup.exe file to many of the bigger names in antimalware. Some are
probably not well staffed on weekends if at all.

At least
when I scanned it with MalwareBytes nothing was reported. I don't use
antivirus
software so I can't scan with any.
I am just saying that using Vista I could download no problem but when
I ran setup.exe
Windows Defender put up a warning box about
TrojanDownloader:Win32/Renos.HL.
The software eventually loaded is called Ms Antispyware 2009 from
CrucialSoft Ltd.

Using Windows 7, which has Internet Explorer 8, a warning box appeared
before the download
saying that the file came from a website which contained viruses/malware
and advised against
proceeding with the download.

Hello Dave:

More hits would have been had if it was easier to submit suspicious
files to some antimalware vendors. However, some make you jump through
a few hoops before you're able to upload.

I believe in a few days, that file will garner a few more hits if it's
uploaded to VT again.

Best wishes,

Pete

 

[James Egan]

Piss-Ant, I see you're still alive. Where is my can of Raid?

http://www.kookpedia.net/index.php/Duane_Arnold

 

[ASCII]

because I
make no effort to hide anything.

Yo buckwheat;
If you ain't always tryin' to pass,
then why so many nyms?

 

[1PW]

The malware being pushed by the usenet posts that point to find-365.com
are continuing. Today they worm their way to:

hxxp://ms-antiviral-scan-av.com/200073/scan/

This site may have been taken down now.

and eventually try to get you to download setup.exe from
files.load-ms-av-soft.com.

Although the original site would have had you downloaded the original
"setup.exe" file, the above URL offers a larger and older piece of
"setup__.exe" malware.

It seems to use the exact same front-end web-code as VirusRemover2009 to
simulate a malware scan (that I detailed a few posts ago), but the
payload is of the size that I reported on earlier (88 kb).

I just sent a sample file to VT. VT hadn't seen this file before, and
just like the others of this type it's being flagged by a very small
percentage of AV packages (4/39).

http://www.virustotal.com/analisis/c3fcd74d7eb8c1c90b4b700b686ab6b3

It's being called MSAntispyware 2009 by Sunbelt.

Why isn't there more known about these files? Why is AV detection rates
so poor?

Hello VG:

Through manual submission, to as many sites as I'm aware of, you'd find
that 18+ vendors flag the 88,075 byte setup.exe file as malware now.

Surprisingly, some of the biggest names in the business had to be urged
to re-examine the setup.exe file based on increasing positives by their
competitors. Then, even when other big name antimalware vendors flag
the 88K file, the other end of the pipeline is slow in getting to the
released signature files.

Speculation leads me to believe that workload, no weekend staff, poor
skills, and probably a dozen other reasons lead to what we're seeing.

However, they do lead one to the conclusion that if the public doesn't
submit the suspected malware, we aren't going to have the needed
protection till we do.

Pete

 

[Virus Guy]

However, they do lead one to the conclusion that if the public
doesn't submit the suspected malware, we aren't going to have
the needed protection till we do.

I don't know about anyone else, but to me it seems there's a big malware
push going on for the past week or two, and I don't know if it's
connected to conficker or not.

Many usenet postings trying to push malware (like we're talking about
here), and directly via e-mail attachments.

I get some spam at work, but very little of it contains malware (and not
because of any spam blocking or e-mail scanning, because there is
none). Today I get what purports to be an e-mail from UPS, telling me
something about a package. The e-mail originated from a machine in
Turkey.

I sent the attachment to VT, and here's the result:

http://www.virustotal.com/analisis/741fbaf861c7769631fdd954a418d0cf

It's being id'd as
- Outbreak
- Zhelatin
- Pakes
- PWSZbot
- Zbot
- Artemis
- Infostealer

Some call it a trojan, others call it a worm.

40% hit rate (16/40).

 

[1PW]

I don't know about anyone else, but to me it seems there's a big malware
push going on for the past week or two, and I don't know if it's
connected to conficker or not.

Many usenet postings trying to push malware (like we're talking about
here), and directly via e-mail attachments.

I get some spam at work, but very little of it contains malware (and not
because of any spam blocking or e-mail scanning, because there is
none). Today I get what purports to be an e-mail from UPS, telling me
something about a package. The e-mail originated from a machine in
Turkey.

I sent the attachment to VT, and here's the result:

http://www.virustotal.com/analisis/741fbaf861c7769631fdd954a418d0cf

It's being id'd as
- Outbreak
- Zhelatin
- Pakes
- PWSZbot
- Zbot
- Artemis
- Infostealer

Some call it a trojan, others call it a worm.

40% hit rate (16/40).

Hello VG:

Nice catch!

Perhaps you could upload it to: <http://www.uploadmalware.com/>

I too think it's striking that some malware isn't getting their
signatures to some of the major AV provider's databases on a more timely
basis. ...if at all.

Regards,

Pete