« previous next »
Pages: [1]   Go Down

Author Topic: programas-gratis.net  (Read 3600 times)

0 Members and 1 Guest are viewing this topic.

Armoniak

  • Guest
programas-gratis.net
« on: May 26, 2011, 08:37:07 PM »
Hi:

I tried to download a file from:  hxxp://ares-destiny.programas-gratis.net/descargapublica
it redirect me to hxxp://www.downloadmr.com/dmr/d/2p6z/ares_destiny.exe

Next, the software tried to install me offerbox adware, eorezzo adware and a toolbar from facemood. All in the same package  ;D
« Last Edit: May 26, 2011, 11:55:55 PM by igor »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: programas-gratis.net
« Reply #1 on: May 26, 2011, 10:20:29 PM »
Hi Armoniak,

Please make the links non-click through like with -http or hxtp,
because could cause damage if launched accidentally..
Upload the malcode file(s) to virus AT avast dot com
-http://www.downloadmr.com/dmr/d/2p6z/ares_destiny.exe redirects to 
Error Reason:Moved Temporarily
Redirected-to : see under ->
-http://www.downloadmr.com/download/s125963/ares_destiny.exe
-http://www.downloadmr.com/download/s125963/ares_destiny.exe - archive BINARYRES
>-http://www.downloadmr.com/download/s125963/ares_destiny.exe/data001 packed by XOREXE
>>-http://www.downloadmr.com/download/s125963/ares_destiny.exe/data001 packed by FLY-CODE

The redirected site is suspicious, see: http://wepawet.iseclab.org/view.php?hash=720e3766c9fc95b0daf49fc9ad680401&t=1306439871&type=js

Accompanying Anubis report here: http://anubis.iseclab.org/?action=result&task_id=134f36253029f6974c9afdba11d8502d5

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Armoniak

  • Guest
Re: programas-gratis.net
« Reply #2 on: May 27, 2011, 12:32:34 PM »
I will do  ;D

All of the files comes from programas-gratis.net .They redirect to random URL from downloadmr.com
It´s a download manager style. The most funny is that they offer me to install an Avast antivirus Tutotial with Eorezzo adware inside.

Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: programas-gratis.net
« Reply #3 on: May 28, 2011, 12:03:44 AM »
Hi Armoniak,

The detection is for a Trojan.Agent, belonging to the larger family of the Doly Trojan malware also having a sub-family by the name of  Lolok Trojan (backdoor), also see: http://www.file.net/process/irsetup.exe.html (contents next to  720e3766c9.exe (random file
executable)
Inside the malware we find a MD5 hash code leading to this ThreatExpert report: http://www.threatexpert.com/report.aspx?md5=3fe7c92dba5c9240b4ab0d6a87e6166a+
packed with: PE_Patch.UPX (Kaspersky's)

Conslusion this is a Trojan.Bredolab variant, here distributed by drive-by-download attack,

polonus
« Last Edit: May 28, 2011, 12:08:11 AM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

jrivero

  • Guest
Re: programas-gratis.net
« Reply #4 on: May 31, 2011, 09:56:06 AM »
Hi!

I'm new to the forum and I am one of the programmers of DownloadMR.

1. DownloadMR do not try to install any software that no manual authorization has been given by user. Have the option of not install none of applications suggested

2. I do not understand that leads to the conclusion that it has a trojan, if I know the code and this is not real. Not is a trojan.

OK.

We are using "Setup Factory 8.0" por create this package. There may be a problem with this?

Now have a new version that replaces "Setup Factory" by "NSIS". But I tested the new file with virustotal.com and the same happens. This may be the reason?

Regards,
Jordi


Logged
Pages: [1]   Go Up
« previous next »