- Malekal's forum - forum d'aide informatique

[Malekal_morte]

Depuis quelques jours, plusieurs mails de Spams avec des url se terminant par hk sont envoyés.
Ces urls une fois ouverte exploitent les vulnérabilités MS05-052, MS06-014, MS06-072, MS07-017 afin d'executer des fichiers installant le rootkit Win32.Packed.Tibs.R windev-*.sys


Les mails :
Les sujets des mails :

For You....My Love
Gday
Gday, Bud
Gday, Pal
Good day!
Hello
Hello, Bud
Hey
Hey, Bud
Hey, Pal
Hi
Hi, Bud
Hi, Pal
Memories of You
Miracle of Love
Path We Share
Re:

Le corps des messages :

A Toast My Love
http://<blocked>.hk/

If an efficient algorithm can be found for obtaining p and q for any
given n, the system will fall apart.
---
check it
http://<blocked>.hk/
---
check this
http://<blocked>.hk/
---
Dream of You
http://<blocked>.hk/

And it struck me that what I saw in Legoland were nothing but sculptures.
---
just for you
http://<blocked>.hk/
----
just look
http://<blocked>.hk/
---
look
http://<blocked>.hk/
---
look it
http://<blocked>.hk/
---
look this
http://<blocked>.com/
---

http://<blocked>.hk/
---
read
http://<blocked>.hk/
---
read it
http://<blocked>.hk/
---
read this
http://<blocked>.hk/
---
this is for you
http://<blocked>.hk/
---
You're In My Thoughts
http://<blocked>.hk/

In all cases your site needs to look good, and in all cases your site
needs to function properly.
---
You're the One
http://<blocked>.hk/

Certainly the fight is not over.

Exemple :



Les scans des fichiers :

A l'heure où ce post est fait les utilisateurs Avast! ne sont pas protégés (ce qui n'est pas le cas des utilisateurs Antivir).
Ceci a permis d'ajouter un test "four" sur la page Avast! VS Antivir

Complete scanning result of "alt.exe.exe", received in VirusTotal at 06.16.2007, 13:35:59 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 no virus found
AntiVir 7.4.0.32 06.16.2007 TR/Small.DBY.DB
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.15.2007 no virus found
AVG 7.5.0.467 06.15.2007 no virus found
BitDefender 7.2 06.16.2007 Trojan.Peed.HVR
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.16.2007 no virus found
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 no virus found
FileAdvisor 1 06.16.2007 no virus found
Fortinet 2.85.0.0 06.16.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen108
Ikarus T3.1.1.8 06.16.2007 no virus found
Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu
McAfee 5054 06.15.2007 no virus found
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 no virus found
Norman 5.80.02 06.15.2007 Tibs.gen108
Panda 9.0.0.4 06.16.2007 no virus found
Prevx1 V2 06.16.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.16.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 no virus found
VBA32 3.12.0.2 06.15.2007 no virus found
VirusBuster 4.3.23:9 06.15.2007 no virus found
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen

Aditional Information
File size: 133973 bytes
MD5: 6c47d4ceabff9eb0c399c96bafa0e311
SHA1: 3ad21aba1c7180ca81b3952daebf416576626981

Complete scanning result of "t.inx", received in VirusTotal at 06.16.2007, 13:36:07 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 no virus found
AntiVir 7.4.0.32 06.16.2007 no virus found
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.15.2007 no virus found
AVG 7.5.0.467 06.15.2007 no virus found
BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.16.2007 no virus found
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 no virus found
FileAdvisor 1 06.16.2007 no virus found
Fortinet 2.85.0.0 06.16.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111
Ikarus T3.1.1.8 06.16.2007 no virus found
Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu
McAfee 5054 06.15.2007 no virus found
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 no virus found
Norman 5.80.02 06.15.2007 Tibs.gen111
Panda 9.0.0.4 06.16.2007 no virus found
Prevx1 V2 06.16.2007 no virus found
Sophos 4.18.0 06.12.2007 Mal/EncPk-E
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Symantec 10 06.16.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 no virus found
VBA32 3.12.0.2 06.15.2007 no virus found
VirusBuster 4.3.23:9 06.15.2007 no virus found
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen

Aditional Information
File size: 8021 bytes
MD5: e217e39280e6248a4f6317e11a65835d
SHA1: 1c455a2db4a76b2860692a9427cc0f9711a62775
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Source : http://www.cisrt.org/enblog/read.php?115

[Malekal_morte]

Après les spam sur les adresses .hk : http://forum.malekal.com/ftopic3682.php
Les fauses Ecard : http://forum.malekal.com/sutra26145.php#26145

Les spammeurs se mettent maintenant au patch contre les virus/spywares.

Les sujets :
Malware Alert!
Trojan Detected!
Virus Activity Detected!
Warning!

Le corps du message:
Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

<Random name>

Le scan du fichier :

Complete scanning result of "patch.exe", received in VirusTotal at 07.09.2007, 21:14:33 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.09.2007 no virus found
AntiVir 7.4.0.39 07.09.2007 TR/Small.DBY.DB
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.09.2007 Win32:Tibs-BAC
AVG 7.5.0.476 07.09.2007 Downloader.Tibs.6.K
BitDefender 7.2 07.09.2007 Trojan.Peed.OQ
CAT-QuickHeal 9.00 07.09.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.09.2007 Trojan.Small-2911
DrWeb 4.33 07.09.2007 Trojan.Packed.142
eSafe 7.0.15.0 07.08.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3774 07.09.2007 Win32/Sintun
Ewido 4.0 07.09.2007 no virus found
FileAdvisor 1 07.09.2007 no virus found
Fortinet 2.91.0.0 07.09.2007 W32/Tibs.MV@mm
F-Prot 4.3.2.48 07.06.2007 no virus found
Ikarus T3.1.1.8 07.09.2007 Packed.Win32.Tibs.ab
Kaspersky 4.0.2.24 07.09.2007 Packed.Win32.Tibs.ab
McAfee 5070 07.09.2007 W32/Nuwar@MM
Microsoft 1.2704 07.09.2007 no virus found
NOD32v2 2386 07.09.2007 Win32/Nuwar
Norman 5.80.02 07.09.2007 Tibs.gen124
Panda 9.0.0.4 07.09.2007 Suspicious file
Sophos 4.19.0 07.06.2007 Mal/Dorf-A
Sunbelt 2.2.907.0 07.07.2007 no virus found
Symantec 10 07.09.2007 Trojan.Packed.13
TheHacker 6.1.6.144 07.09.2007 no virus found
VBA32 3.12.0.2 07.08.2007 no virus found
VirusBuster 4.3.23:9 07.09.2007 no virus found
Webwasher-Gateway 6.0.1 07.09.2007 Trojan.Small.DBY.DB

Aditional Information
File size: 134228 bytes
MD5: 719f1019288f02bedc1adb8b478a5c48
SHA1: 5b85dcc0f494783a9e5915d5fa5a2a3e14d98454