Results 1 to 9 of 9

Thread: URLANDEXIT tag in WMV

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    URLANDEXIT tag in WMV

    fake torrent, URLANDEXIT tag inside WMV file contains
    http//tpbtrack.com/index.php
    which redirects to http//microsoftmedicenter.com/ for dld
    codec_update2.7.exe

    kill this WEB_page soon. don W!
    Attached Files Attached Files

  2. #2
    Howdy,

    I cant kill it eval, Comodo wont let me.

    Don W

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    happi mu yer! Don Wooma!

    you are true fighter with malware!
    today i check & microsoftmedicenter not exists... also tpbtrack.com..

    but wait! what if we tape:
    http://www.tpbtrack.com/
    !>!>!>

    it workZ! & redirects to:

    http://microsoftmediaplayer.net/pluginerror/

    bonus site for malware DL:
    http://ppirush.com/list.txt

  4. #4
    Howdy,

    The redirect doesnt work.
    Firefox can't find the server at microsoftmediaplayer.net.

    Micro probably had that site killed.

    Woodmann
    Learn Or Die.

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    not kiled at all..
    maybe for you that address are just blocked as malicious?
    here is TCP dump of session with malware..

    DNS-query:
    91.121.97.116 > ks28732.kimsufi.com
    Attached Files Attached Files

  6. #6
    Registered User
    Join Date
    Aug 2009
    Location
    Bucharest, Romania
    Posts
    8
    Quote Originally Posted by evaluator View Post
    not kiled at all..
    maybe for you that address are just blocked as malicious?
    I can confirm that, site is still online. Hmm, it's the good old codec scam. Wonder how many will fall for it again.

  7. #7

    Angry Mal/FakeDouf-B [Sophos]

    http://www.virustotal.com/analisis/3a4b84557ffbbd32cdaf43efbc0ba5d11a5b22d690580da5930a79da0027b662-1266157076 8/41
    Also submitted on TE/Jotti/CWSandbox/Norman/Sunbelt

    Reg change and Network activity is interesting...

    Ensure to run at every start
    Code:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "TOY5KNQ8OC" = C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Hm1.exe
    Drops shit (bet its a backdoor)
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters "ServiceDll" = [REG_EXPAND_SZ, value: C:\WINDOWS\system32\sshnas21.dll]
    Change filetype association:
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
    Crypted config to avoid e-z detection
    Code:
    HKEY_CURRENT_USER\Software\TOY5KNQ8OC "Hr0" = tSLPLpWL7R22spR48AI743bz2Kge8sERw0qmuz25hgohx8cxtNMwr8rBWqitGUb/zraVBDDj5hLpEwYXNxEcPXZ9sJFaDKKtXmxIvCsKfL3BUK2YmKdwy0wP+mREmBu3qeV4TyHp6lc/8xIj6ehCR1T2ygeXbopFSi+wcuZzVX7WEc60vs/gvM40+JErmIzaB2QhZba725R1sr2kOfmVOMnMlPUv0JruzRQ9mA==
    Abuse your TCP/IP network
    Code:
    \Device\Tcp
    \Device\Ip
    \Device\Ip
    \Device\Tcp6
    \Device\RasAcd
    Adds tasks (and hide them)
    Code:
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    Checks for nifty tools
    Code:
    Open File: \\.\SICE (OPEN_EXISTING)
    Open File: \\.\NTICE (OPEN_EXISTING)
    Open File: \\.\SIWVIDSTART (OPEN_EXISTING)
    Open File: \\.\VMDRV (OPEN_EXISTING)
    Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
    Post shit to infected sites
    Code:
    http://66.199.229.230/bbgfvdfv.php?data=v26MmjSySdemXz907AUYROBra+ftI9M9b4xfTXYnLRkHCVTSihWLzGqhA0jEdVaN1M6V6shGcAiBMF4QEHbzbYSRtufQpaX/NPttvu7rkw== (workartsstudio.com) 
    http://64.20.38.251/logos/2aac1e812a13a04cf10ec85187f31ca7b22154fc7b77b63fec5e37e6648b5f8a317d04508db39388c/64d84457f3e/logo.gif (homeartscenter.com) 
    http://94.75.228.24/werber/34f8b457d37/217.gif (multiartshouse.com) 
    http://69.10.35.253/perce/9acc6e112a53a02cf1fef83147c3fc073291b47c8b77c66ffccea7e6e42baf7ae11d94007d4333783/24a874f7a37/qwerce.gif (tangoartsshow.com)
    http://208.43.125.180/oms.php (yourgot.com)
    http://66.197.161.246/resolution.php (motorolam.com) 
    http://66.197.161.247/borders.php (easyaw.com)


    etc etc...


    MMPC report status (so they can shut this prick down): https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=e3d2c8a8-480b-4228-bdf3-5b7f2f302ba2&n=1
    Last edited by Silkut; February 14th, 2010 at 10:39. Reason: addendum
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    today checked, and
    http://www.tpbtrack.com/
    is for sale..

    DonWooma, you are amazing!!

    but yet alive is:
    http://microsoftmediaplayer.net/pluginerror/

  9. #9
    Why must you do this to me .

    DW
    Learn Or Die.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •