Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on March 15, 2012, 07:58:19 PM

Title: Real trojan dropper here?
Post by: polonus on March 15, 2012, 07:58:19 PM

See: htxp://zulu.zscaler.com/submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415
See: htxps://www.virustotal.com/file/9adc195082d1bfc59baf5a9036c8c60c8d0325934ab3e356ef853f476e2e20ab/analysis/
Analysis see: hxtp://anubis.iseclab.org/?action=result&task_id=1ce5256b86470a4a4416c834172a11b26
Reported to virus AT avast dot com,

polonus

Title: Re: Real trojan dropper here?
Post by: Pondus on March 15, 2012, 08:19:25 PM

well...difficult to say since the link is dead    http://www.downforeveryoneorjustme.com/http://tube142-hosting.fartit.com/download-id58046/

but from the zulu link it seems there used to be a flash_player.exe there....since the link is dead i guess it was fake   ;)
http://zulu.zscaler.com/submission/show/9f6699a45bbb88611a57ed582c373ac4-1331838890

Title: Re: Real trojan dropper here?
Post by: polonus on March 15, 2012, 11:21:59 PM

Hi Pondus,

Some links on that page fartit dot com sure were laden with many malcious scripts, trojans and exploits

Trying to go there, I get a failure: Name or service not known>resolves to a private IP address -> Accept-Encoding: gzip
GET /submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415 HTTP/1.0

Received  Header Data
HTTP/1.1 403 Forbidden
Date: Thu, 15 Mar 2012 22:08:50 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415
on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at 127.0.0.1 Port 80</address></body></html>
Analysis for fartit dot com found these issues:
This is not encouraging: hxtp://www.mywot.com/en/scorecard/fartit.com?src=addon-popup-donuts
This link there is suspicious: hxtp://www.google.com/safebrowsing/diagnostic?site=http%3A//freeddns.com/
and this outward link  is even worse: htxp://www.google.com/safebrowsing/diagnostic?site=http%3A//freetcp.com/
and then there is this link also with malcontent: htxp://www.google.com/safebrowsing/diagnostic?site=freewww.biz

polonus