Analysis of malicious VBscript:

Yesterday, AntiVir detects a vbscript as :VBS/Dldr.Agent.sver

I try had a hand with that and try to find what it is actually doing:

Malicious script

Formatted script using malzilla

If you look at the script, it set the site name as nosensetoblock and temp folder location as tfolder. It loads a cmd file in temp location as follows:

 var genesis is equal to "%TEMP%\\keybtc.cmd", autorotatedomain="images";

 Use the Try catch method for auto reply (refer the image).

 Its good detect these kind of scripts :).

Post made by
newWorld

Trojan: Wonton

VT Information about a malicious sample:

MD5	e564d95cff4e3c7c14b8a149de41935a
SHA-1	f9c256c5b2ae937a9b04d73ac88aaa782b8770dc
SHA-256	57bab53ddf5ba525343218c78de26064d0e6b9a3cd739ebbe0ba2358ea2b7394
ssdeep	12288:jN5mEjuyhoWgXk6Eqyli7B0d6hHBZ0FAb12:jNIEjuyhoWgXk6W07B0d6hHBqFAZ2
imphash	a49926a7e80581b917867c2bd8cfdf8f
Size	416.5 KB (426496 bytes)
Type	Win32 EXE
Magic	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID	Win32 Executable MS Visual C++ (generic) (64.5%) Win32 Dynamic Link Library (generic) (13.6%) Win32 Executable (generic) (9.3%) Clipper DOS Executable (4.1%) Generic Win/DOS Executable (4.1%)

 This malware through an error message when you execute:

But if you observe the changes in the system through process explorer and process monitoring tools, you will find some process with random character as process name which points to the %Application data%. This is obviously wired. And give one hundred percent confirmation to the user that we are executed a malware. If you use inctrl, it will log all the changes made in the files, folders and registries.                                              

Leading Antivirus such as Sophos detecting these set of malwares with the name :                                        

Troj/Wonton-FE

And Eset-Nod32 detect the same malwares with the name:

a variant of Win32/Agent.VNC

sophos write up

The above snap says what sophos says about the behavior of the samples. Sophos is pretty good AV.

Stay protected. Enjoy the cyber world.

Post made by 

newWorld

Today's email scam:

Today i got a mail from BHC (as it claims like British High Commission) which i never heard. There is no message part in the mail and only an attachment (a pdf file) found. I downloaded it scan with my local exploit scanner. Nothing found.

snap of the mail

I checked what that pdf claims... it is same old 419 scams aka Nigerian scam...

snap of the pdf

It looks pretty legit and colorful... But people need to understand one thing, no one will give you million dollars without you doing nothing. 

So, my humble advice to delete these mails without read it. Also, educate your relatives and friends by creating awareness. Please check my blog for other Nigerian scams Aka 419 scams.

Post made by

newWorld