CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

gamecodec1000.exe (md5sum 48f06d7b3005193afc17029070892921)

 
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
philipp2

Trooper
Trooper


Joined: Apr 11, 2008
Posts: 22
Location: Germany
PostPosted: Sat Apr 12, 2008 12:55 pm    Post subject: gamecodec1000.exe (md5sum 48f06d7b3005193afc17029070892921)
Reply with quote

hxxp://gamecodec.com/download/gamecodec1000.exe

av detection: 10/31 (32.26%)

AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 DR/Dldr.DNSChanger.Gen
Authentium 4.93.8 2008.04.11 -
Avast 4.8.1169.0 2008.04.12 -
AVG 7.5.0.516 2008.04.11 DNSChanger.AA
BitDefender 7.2 2008.04.12 Dropped:Trojan.Downloader.Zlob.ABOU
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.12 -
DrWeb 4.44.0.09170 2008.04.12 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.12 -
F-Prot 4.4.2.54 2008.04.11 W32/Trojan2.AIES
F-Secure 6.70.13260.0 2008.04.11 W32/Malware
FileAdvisor 1 2008.04.12 -
Fortinet 3.14.0.0 2008.04.12 -
Ikarus T3.1.1.26.0 2008.04.12 -
Kaspersky 7.0.0.125 2008.04.12 Trojan.Win32.DNSChanger.arn
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.12 -
NOD32v2 3020 2008.04.11 -
Norman 5.80.02 2008.04.12 W32/Malware
Panda 9.0.0.4 2008.04.12 -
Prevx1 V2 2008.04.12 Generic.Dropper.xCodec
Rising 20.39.52.00 2008.04.12 -
Sophos 4.28.0 2008.04.12 -
Sunbelt 3.0.1041.0 2008.04.12 -
TheHacker 6.2.92.275 2008.04.12 -
VBA32 3.12.6.4 2008.04.06 MalwareScope.Trojan.DnsChange.2
VirusBuster 4.3.26:9 2008.04.11 -
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Dropper.Dldr.DNSChanger.Gen

weitere Informationen
File size: 237131 bytes
MD5...: 48f06d7b3005193afc17029070892921
SHA1..: ffda8fcbaba75a1a78c6f7dee7d99d0fa8cf0381
SHA256: 3d7bc9d14d4b01ef95bced6c1f19fe26cc61b1e2632ca0450b0cd64413bac8ed
SHA512: b6785c3c5c81e04d7e0f10b4637d57f0f95ad3ce0437d781f79008f88dcc8007
accbf34a32cdd88234e6d9f8aa1b70bb972fd2bce41853b4ea7a13a0d383a777
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403247
timedatestamp.....: 0x47acc8bc (Fri Feb 08 21:25:16 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5ca2 0x5e00 6.46 d80b6bf509dd220aab97a196c2d7e93d
.rdata 0x7000 0x129c 0x1400 5.05 2059ce25d4311b5e6824e32f198b18ff
.data 0x9000 0x25c78 0x400 4.88 86379c8d87f3aeefce174e9015ff66c4
.ndata 0x2f000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x39000 0x41f8 0x4200 5.88 738149f83fa51602d2b6bc7de0000dc7

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )



the following domains are used to spread this trojan:

Code:

64.28.178.226
-------------
porn-play.net
cruiseporn.com
porndrive.net
porn-global.net
porn-go.net
pornhelp.net
porn-party.net

64.28.178.228
-------------
porn-contact.com
porn-power.net
porn-abc.com
business-adult.com   
pornabout.com
pornname.net
porn-room.net
porn-group.net
porn-plus.net

64.28.179.18
------------
look-porn.com
play-porn.com
relatedporn.com
comp-adult.com
business-adult.com
controladult.com
compadult.com
service-sex.com

64.28.179.19
------------
party-porn.com
serviceporn.com
sexother.com
engine-adult.com
seek-adult.com
pleasureadult.com
time-sex.com
part-sex.com
try-sex.com
estatesex.com

64.28.179.20
------------
porn-sea.com
porn-name.com
porn-look.com
plus-porn.com
contactporn.com
inc-adult.com
drive-adult.com
u-adult.com
related-sex.com
custom-sex.com
review-sex.com

64.28.179.21
------------
porn-cruise.com
about-porn.com
driveporn.com
sex-other.com
basic-adult.com
popular-adult.com
other-adult.com
center-adult.com
porn-www.com
pleasure-sex.com

64.28.179.22
------------
name-adult.com   
room-adult.com   
nameadult.com
partadult.com

64.28.183.170
-------------
adultzoneworld.com
adultstarworld.com
adultsexpro.com
adultsexcar.com
adultvideodot.com
aboutadultsex.com
bestpriceporn.com
chatroomonporn.com
dontforporn.com
coolbestporn.com
pissing-video-xxx.com (not this gallery)

64.28.183.171
-------------
latina-pornmovie.com (not this gallery)
funpornsite.com
getscammedporn.com
getforporn.com
ispfiltersporn.com
dontgetporn.com
dontporn.com
funxxxporn.com
nameofpornstar.com
hotxxxadult.com
findadultsex.com

64.28.183.172
-------------
pornxxxfilm.com
porntimeguide.com
pornsexcafe.com
playhardmovie.com
playxvideo.com
pornvideosteens.com
pornissex.com
playhardmovie.net
pornxvideo.net
playxxxvideo.net

64.28.183.173
-------------
theadulteye.com
superadultfriend.com
stephieporn.com
superliveporn.com
usbestporn.com
teenporntop.com
theadultpost.com
superporncity.com
teenxvideo.net

64.28.183.174
-------------
worldbestadult.com
xxxadultgold.com
videomegaporn.com
youbepornstar.com
xxxvideoadult.net

64.28.185.74
------------
pleasure-adult.com
try-adult.com
uinsex.com
xerosex.com
qazsex.com
look-adult.net
visit-adult.net
brakesex.net

64.28.185.75
------------
abc-adult.com
sexwhite.net
sexclean.net
sexnitro.net
group-adult.net
contact-adult.net
about-adult.net
sexwot.net

64.28.185.76
------------
pleasure-porn.com
megazporn.com
sexxero.com
brakeporn.net
helpporn.net
lightporn.net
name-adult.net
poweradult.net

64.28.185.77
------------
porn-comp.com
service-porn.com
xeroporn.com
pornqaz.com
scan-porn.net
useporn.net
xhporn.net
delfiporn.net

64.28.185.78
------------
pornbrake.com
porn-popular.com
pornultra.net
porn-the.net
pornfire.net
porn-pleasure.net
porn-look.net
pornnitro.net

Back to top
View users profile Send private message
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5879

MIRT Premium

PostPosted: Sat Apr 12, 2008 2:46 pm    Post subject:
Reply with quote

Thanks for posting the link, I've added the file to the malware listserv.

CastleCops Link/p1077725-MD5_6e9179427aa49306afec1cdea660b127_gamecodec1000_exe.html


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
135ppm 0.228s (0.033s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer