CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

down.exe and dod.exe

 
Post new topic   Reply to topic       All -> FavForums -> Unknown Files [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
ddcc

Lieutenant
Lieutenant
Premium Member

Joined: Feb 20, 2004
Posts: 272

Premium

PostPosted: Sun Mar 02, 2008 7:20 pm    Post subject: down.exe and dod.exe
Reply with quote

These files are up on a malicious websever (xxx.hao1680.com) that tries to compromise browsing computers through numerous exploits. That webserver also seems to be linked to a larger ring of chinese malicious hosts, and is also being linked to with a 1x1 iframe by many compromised webservers (see google). That malicious webserver also seems to have a RDP server running on it.
Back to top
View users profile Send private message
maliciousbrains

Sergeant
Sergeant
Premium Member

Joined: Feb 23, 2008
Posts: 103

Premium

PostPosted: Sun Mar 02, 2008 7:34 pm    Post subject: uploaded to MMPC for analysis
Reply with quote

Attached are the stripped down exploit code from the site. This has also been uploaded to MMPC for analysis and it has been confirmed that its getting detected by Microsoft.

Symantec detected it as Downloader
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99


_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org

There are no patches or service packs for ignorance!
Back to top
View users profile Send private message Visit posters website
maliciousbrains

Sergeant
Sergeant
Premium Member

Joined: Feb 23, 2008
Posts: 103

Premium

PostPosted: Sun Mar 02, 2008 8:37 pm    Post subject:
Reply with quote

Result: 18/32 (56.25%)

Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.03.02 JS/Agent.ES
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 Exploit
BitDefender 7.2 2008.03.02 Dropped:Trojan.Downloader.JS.Agent.OL
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.02 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 JS/Veemyfull!exploit
Ewido 4.0 2008.03.02 Not-A-Virus.Exploit.JS.Agent.fw
FileAdvisor 1 2008.03.02 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.01 HTML/IFrameBof.A
Ikarus T3.1.1.20 2008.03.02 Trojan-Downloader.JS.Agent.ol
Kaspersky 7.0.0.125 2008.03.02 Exploit.JS.RealPlr.df
McAfee 5242 2008.02.29 Exploit-RealPlay
Microsoft 1.3301 2008.03.02 Exploit:HTML/Repl.D
NOD32v2 2913 2008.03.01 JS/TrojanDownloader.Agent.NCG
Norman 5.80.02 2008.02.29 HTML/IFrameBof.A
Panda 9.0.0.4 2008.03.02 Trj/Downloader.STL
Prevx1 V2 2008.03.02 -
Rising 20.33.62.00 2008.03.02 Trojan.DL.Script.JS.Agent.mej
Sophos 4.27.0 2008.03.02 Mal/JSShell-B
Sunbelt 3.0.906.0 2008.02.28 ], [
Symantec 10 2008.03.02 Downloader
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 Script.Agent.ES
Additional information
File size: 7418 bytes
MD5: 38376473b340371e09a8e89be7726b94
SHA1: e4cb450cc39bb597fad976f6725600c44eabba38
PEiD: -

As mentioned earlier, this exploit is getting detected mostly by all major AV Vendors.


_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org

There are no patches or service packs for ignorance!
Back to top
View users profile Send private message Visit posters website
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Unknown Files All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
140ppm 0.237s (0.038s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer