Some weird guy sent me this

FLVPlayer, Delphi, UPX.

Unpacking looses its VT detections to just one, Virut. Virut infects excutables you accesses and opens a backdoor - none of which I detected in the time I looked at it so far.

I think flv player has had some problems before, bundled with malware, toolbars and other adware and then aggressively pushed such as pay per install (PPI)

 

there are a few suspicious reg entries

Set Values

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value: C:\12069003.exe
Data: C:\12069003.exe:*:Enabled:InstallerCore?

Query Value

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value: C:\12069003.exe

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS
Value: 12069003.exe

and winsock connectivity

• Outgoing Connections
  • HTTP Data
    • Method: GET
    • Url: 75.101.140.155/cgi-bin/utils/IP2CC.psc
    • HTTP Version: HTTP/1.1
      • Header Data
        • Accept: */*
        • Host: rp.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • Method: POST
    • Url: 75.101.140.155/vc.psc?pcrc=1352896255
    • HTTP Version: HTTP/1.1
      • Header Data
        • Accept: */*
        • Host: rp.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
        • Content-Length: 670
        • Cache-Control: no-cache
    • Method: GET
    • Url: 72.21.211.171/products/FLVPlayer.cis
    • HTTP Version: HTTP/1.1
      • Header Data
        • Range: bytes=0-102399
        • Accept: */*
        • Host: cdnus.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • Method: GET
    • Url: 72.21.211.171/products/FLVPlayer.cis
    • HTTP Version: HTTP/1.1
      • Header Data
        • Range: bytes=307200-442058
        • Accept: */*
        • Host: cdnus.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • Method: GET
    • Url: 178.236.5.33/products/FLVPlayer.cis
    • HTTP Version: HTTP/1.1
      • Header Data
        • Range: bytes=102400-204799
        • Accept: */*
        • Host: cdneu.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • Method: GET
    • Url: 72.21.211.171/products/FLVPlayer.cis
    • HTTP Version: HTTP/1.1
      • Header Data
        • Range: bytes=204800-307199
        • Accept: */*
        • Host: cdnus.programmersupply.com
        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

 

Edited above post.

Well I'm still running a vm so let's see.

 

Its good to be running a good Anti-Executable in these cases so it does not have to be detected

 

problem is that not everyone has a setup with anti-ex and a user going already the length to check with the VT url scanner could think that it is ok to download from such url, when it is not...

 

it is probably not malicious, the FLV installer trying to fetch data from various CDN sources.

 

Check out the Anubis report here. Somewhat nasty driveby.

 

MS VM aware but runs via Sandboxie Win 7 OK.

 

some new urls popping up

-http://videosstreamnow.erufa.com/template.php?q=2791-

-http://crazytubevideos.hostingfreeweb.info/template.php?q=4014-