Hard work never fails!: July 2013

Wednesday, July 17, 2013

Recently, i come across a malware which stops avast antivirus services, after the execution of the malware.

Its an upx packed file: unpacked it and found the strings which are targeted to stop mainly avast services-

steps:

Already, Installed avast edition in windows xp environment or higher version.

Run that malware. After the restart of our system, we will find the following- avast services are stopped.

There is message we can see in the avast that system unsecured that avast antivirus program has been stopped and please restart the program.

There is option as start program in avast.

Then a process called visthaux.exe starts running in the process explorer. But that process unable to restart the avast service.

Even restarting the system and tried to start the avast process- it didn't start.

Ok, then i try to scan my system, but when i press the start scanning: it through the message as unable to start scan-

Only thing Avast need to do- is to detect that malware. Today it detects the malware (prevention is better than cure).

Regards,

Monday, July 1, 2013

Last week, I received a spam mail in my Gmail account. It gives me the message as: to view the doc, please click here and login!

I viewed this link in the dedicated environment (for analysis). The link is hxxp://spirtbaza.com/bggle.doc/index.htm

In order view this doc, need to login using any of the following account.

I just use some random user id and some random password. It accepts those non existing id and redirected to Google doc page - https://productforums.google.com/forum/#!category-topic/docs/documents

I also captured the packets:

WHOIS information for spirtbaza.com:***

Domain Name: SPIRTBAZA.COM

Registrar: LLC "REGISTRAR OF DOMAIN NAMES REG.RU"

Whois Server: whois.reg.ru

Referral URL: http://www.reg.ru

Name Server: NS23.RUWEB.NET

Name Server: NS45.RUWEB.NET

Status: clientTransferProhibited

Regards,

Hard work never fails!