Discussion in 'malware problems & news' started by Dermot7, May 31, 2012.
@ Dermot7 Thanks for posting
Analysis - http://anubis.iseclab.org/?action=result&task_id=12b5685b5b5acd2b4e5d5093fc3479d87&format=html
Noted from the above, DAKOTAVOLANDOS.COM
Is it Chinese or Rusian or ?
I managed to get hold of it & run it. As usual i had to first allow it, & then the other stuff it sporned, through ProcessGuard.
readme (2).exe = MD5: 08ab7f68c6b3a4a2a745cc244d41d213 launches winver.exe then deletes readme (2).exe
winver.exe then launches Version Reporter Applet which wanted out, so i allowed it. The funny thing is that it goes to IP 220.127.116.11 which is http://www.barefruit.com/background/error_resolution.php
Not sure why that should be, ANY ideas ? And also my ISP's DNS.
I didn't notice anything unusual in Anything, when typing in false info at RBS, & PrevxSafeOnline didn't blink, or detect it. One possible reason for nothing bad happening, was my FW blocked incoming. As my time on this was short, i didn't persue it.
Here's some screenies
But the injection into web browsers only can occur AFTER the initial executable has been RAN...
...so anti-execution and policy restrictions will still block this piece of malware completely...
If that crap tried to automatically download and run on my computer, all I would see is an X-box message from group policy.
HitmanPro.Alert automatically detects this without signature.
Separate names with a comma.