Some weird guy sent me this

Some weird guy sent me a PM at a social networking site. It said something like, "Hey I think I recognize you. Remember me? Anyway I made a video for you". So there was a image that looked like a video trying to load. Like a joke or something.

http://img178.imageshack.us/img178/2870/104w.gif

But thenw when I clicked on it it took me to this:

-yourtube.webexploring.com/video2/video.php?q=210591-

And then when I clicked on it and it said I had to download something to play it. A small file downloaded and it said Divx. But it was only a small kb file and nothing happened.

So I am wondering if something was put in it to try and catch my IP address or some kind of keylogger to invade my privacy. And I am hoping that someone here might be able to understand what this is all about. It gives me the creeps.

 

nice drive by, trying to get the machine infected with a variant of Win32/Kryptik.IHM trojan despite noscript in place and blocking. it may actually have succeeded if not caught



MD5 : 5c8ae9bec0dfeab54b0c005bdb5e5fb0
SHA1 : dd9da30b4579a129f7eb3a389c2296a74cdedc2f
SHA256: d2c5a419fd0e410cab1605f1f21aa02093b275f395fa6e477de6506b7d3789dc

also being served from here -watchandstream.hostxd.com/template.php?q=8466-

 

What does it do? Here is what I did. I use Returnil so I downloaded the little Divx file. It did noting so I restarted my computer.

Do you think I am safe since I had Returnil?

I also have Eset but eset did not go off. Is there any type of scaner that you know of that will detect it?

 

Will close in vmware unless anti-anti vm in place, works fine with just,

added.

Rouge.AntiVirus Studio 2010 and a whole load of trash dropped.

analysing the packed exe now

 

strange that NOD did not alert as they added detection today 13:16 (time is CET I trust) and the http protocol filter should have caught it. perhaps it did and you did not notice? give it a shot with Hitman Pro

 

Just need to know how to suspend and end the alerts to be able to clean up. Huge trash of files in temp directory are mostly corrupted, but are only there for 'detections' for/by the rouge.

Nothing remarkable.

 

Do not ever click on, or download, something you consider suspicious, not even from people you actually do know, their computer could be infected without them having noticed.
Always use sound judgement !!!

 

Wow, that's a lot of exe's Can you report the infected link to Eset? If not then could you PM it to me.

 

Did your AV alert you at all when downloading all that malware?

 

The link is in the first post obfuscated by the - character.

The files in the temp folder are benign with portions striped from the exe. They are only there to be 'detected' by the rouge. If you tried to run them you would get an error message from Windows, 'not a valid win32 application.'

A detection of the files would be something like Win32/Corrupt_File.XXXX or Win32/Damaged_File.XXXX.

 

If this is directed at me, I don't run a real-time antivirus that would be a pain for me.

This wasn't that bad of a rouge but some may have as an example an anti-malware/utility disallow run list, sometimes entered into the registry to stop your antivirus from running.

 

I think Returnil saved me from it. Superantispyware did not find anything and Hitman Pro did not find anything. Nor did PrevX. But malwarebytes did find this:

C:\WINDOWS\System32\winevt\Logs\Application.evtx (Trojan.Dropper) -> Delete on reboot.

I wonder if that is a false positive?

 

I should have known better. Thanks for the advice.

 

Mine did not. I have Eset. But I also have Returnil which I think prevents anything from executing that was not already installed. So maybe that nipped it in the bud.

 

That's an event log file (application) found in Vista or above and can be looked at with the event viewer. If you suspect a file get a second opinion with VirusTotal.

 

I was just about to suggest Virus Total as I was reading this thread. There is a Chrome Extension for this.

 

Meriadoc, I was acqually directing that post to Dawgonit. I was just curious if he or she was running an AV, and if they was then did it detect anything. So Meriadoc do you use an anti-exe to your setup? If not then what do you use if you don't mind me asking?

 

I believe you should be alright if you was running Returnil. In any case you seem to be taking the necessary precautions by running all the the above on-demand scanners. To be on the safe side I would run them again in the next few days because they may have not added this infection to their database yet. You could use process explorer and lookup all the processes running on your machine to make sure they are all safe. I mean you can look them up on google if you are not sure they are safe. Just use the process of elimination until you have checked them all. The only thing is it can be time consuming. You have to pay attention to detail because malware is known to use the names of legit processes, but most of the time there will be a small difference like lower or uppercase in one or all of the letters in the name of the process or it will not be located in the correct directory. You can also check the file's MD5, and SHA1 checksum. Its like a finger print to make sure its the file it says it is. Then run Gmer to find any hidden processes so you can check for rootkits. If you find any hidden processes on your machine then don't clean them unless you know its safe to do so. Gmer cannot tell the difference between good, and bad hidden processes. It only alerts you to the fact that they are there, and gives you an option to clean your system of whatever files are causing them. Not all hidden processes are bad, and some legit services use them. I have several on my machines from Online Armor, Prevx and other software i use. Overall there should not be many hidden processes on your machine so it should be easy to figure out if they are safe. If your not sure then ask someone you trust. You could also run hijack this, and see if you can find any harmful autoruns that start with windows. Also if you have a backup image on an external drive then that could really save your A$$ in the event that something is ever able to bypass Returnil. I always prepare for the worse, and hope for the best. I believe your probably ok though so don't panic. If you have any questions on how to do anything i stated above then let me know.

Windows Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
GMER: http://www.gmer.net/

 

Also VirusTotal has a 'send to' VT tool so you can easily right-click a file and up it. Results open in a browser window.

 

At home mostly Virtualization/App-V/ThinApps/Altiris/Sandboxing/Shadowing, x64 but mostly work with x86, some OS inbuilt hardening, imaging and brain.dll
I do run different specific VMWare snap-shots for what I'm doing and also snap-shots to try out apps. Yes, one I have is AE2, I also use FD-ISR Pro and Server, a DeepFreeze/AE2 setup and currently playing with HyperOS.
I use an appliance which can use antivirus, antispyware for traffic analysis and also keep sections of the network apart, eg kids machines.

At work some of the same but antivirus (and home of course ) would be a hindrance. I only come close to using antivirus for sample classifying and sorting with another tool, also using Linux. I also use Mac and BSD. Maybe sometime I will go more into it. My other vocation is different.

 

just tested it, but does not detect the malicious file (redirected) and thus would not be of help in a case like this. not even using the VT website url scanner for the domain serving the file directly (-watchandstream.hostxd.com/template.php?q=8466-) catches the bad guy. reckon that the URL scanner is no worthy opponent for pages serving malicious stuff

 

just looked into the webpage code, curiously containing a google ad

GET -http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7504753824096866&output=html&h=60&slotname=2554967806&w=468&lmt=1290272793&flash=10.1.103&url=http%3A%2F%2Fyourtube.webexploring.com%2Fvideo2%2Fvideo.php%3Fq%3D210591&dt=1290276393030&shv=r20101110&jsv=r20101117&correlator=1290276393033&frm=0&adk=3117613139&ga_vid=1138613009.1290276394&ga_sid=1290276394&ga_hid=1294525155&ga_fc=0&u_tz=60&u_his=3&u_java=1&u_h=1078&u_w=1920&u_ah=1078&u_aw=1920&u_cd=16&u_nplug=13&u_nmime=58&biw=1918&bih=1017&fu=0&ifi=1&dtd=602&xpc=yq76BiZt8S&p=http%3A//yourtube.webexploring.com- HTTP/1.1
Host: googleads.g.doubleclick.net

which leads to

-http://apps.foxtab.com/flvplayer/-

there is then a download of the FoxTab FLV Player

MD5 : 6218442a0cf155bab2c399b947bfa62f
SHA1 : 8796911bfb5359c0e76868a647869685a306de63
SHA256: 346c205ad2bcab7df094aeadfd26cde3ba0ac14f824b9bd0be7dc732e9e439bb

some AV do classify it as malware, e.g. Virus.Win32.Virut.X6 or Adware.FlvPlayer.14 or just as malware.

what makes it specially interesting, that if not an FP it is being served off a legit domain, as foxtab.com is providing a plug-in for FF. in which case begs the question whether the domain has been compromised or is malicious then the FF plug-in perhaps is too

would appreciate if somebody could look into this FoxTab FLV Playera and see what it does, or whether just a FP. if not most of the AV are not alert of it by now.

there is another one on the domain -http://apps.foxtab.com/flvconverter/-

MD5 : dabe2084a58cea96f63c470f7efa0f00
SHA1 : 85f3c0624450d072a43666a8640497c8e79241a9
SHA256: 2e276e15b96ceeae41806f18928e5a81d5c316c994618e0c53522f6bbc596dce

 

Very interesting setup. I use virtualization software for just about everything. Its allowed me to learn so much without having to worry about breaking my machine lol Right now i'm learning a lot of new registry tweaks, and I would not be so inclined to try half the things i do without it. I use it more for software testing, and security than anything. I wish i could say i was a very knowledgeable Linux user, but i have a lot to learn before i can make Linux more useful to me. I'm just glad to have learned about Wine a while back (last year) so i can run some of my apps I use on Windows on Linux. As far as Macs... wheres the button to turn it on lol.... I'm not that bad, but seriously I have rarely ever used one.

 

OK. Diolch yn fawr iawn.

 

OK, that's just scary!