« previous next »
Pages: [1]   Go Down

Author Topic: trojan rarc.  (Read 2555 times)

0 Members and 1 Guest are viewing this topic.

rus

  • Guest
trojan rarc.
« on: June 05, 2010, 12:03:51 PM »
Site "xxtp://zakatchayka1.info/search?r=1753&q=mega download good file" (instead of "mega download good file" may be any text) has mailware.

Reference on this site show up on russian search internet services then input word "загрузить".

If press "скачать" (it is correspond "download"), then downloading file with name in view: "mega_download_good_file-12345678.exe".
"mega_download_good" - is text from url site, where space symbol replaced on "_" and "12345678" is random 8-digit number.
This file, ostensibly, is selfextractor archive with needed file.
After run this file, show up window with text required send sms on short number 2858 for get access code.
After send sms and execute remainder requist you  understand, what this is not selfextractor archive with needed file, but embeded window ie with site hxxp://za-premium.com/?id=12345678:)
This site, how write on caption this window, is protected, but it may open from ie without send sms, simply insert number from download file name in url after id.
Avast do not catch this trojan.
Please, add this trojan "rarc" in your base.
« Last Edit: June 05, 2010, 03:00:42 PM by misak »
Logged

13thSlayer

  • Guest
Re: trojan rarc.
« Reply #1 on: June 05, 2010, 01:52:24 PM »
za-premium.com is a torrent tracker.
The first site you linked to (please remove the link by changing "http" to "hxxp" and www to xxx), has a AdSubscribe-family virus in it.
I'll write back after I have more results.
http://www.virustotal.com/analisis/5e7c7a86529770adbc6cffd14628d90ded47a16cb27298c7bc4f25b5153c2425-1275739178 - see this. Despite the fact that only 3 antiviruses detect it, it's still a virus, sure of it
« Last Edit: June 05, 2010, 02:01:47 PM by 13thSlayer »
Logged

rus

  • Guest
Re: trojan rarc.
« Reply #2 on: June 06, 2010, 08:43:38 PM »
Now detect it 5 antiviruses (http://www.virustotal.com/ru/analisis/f217a65f075e3846a67f8dbafdefef03d6a19de189ef634238e2121609285d37-1275847343).
Info from dr.web (http://news.drweb.com/show/?i=1083&lng=ru&c=5): this trojan created earlier 8 March 2010, distribute more 20 russian hosts and has changed, since screenshot little differ.
List host from dr.web:
doownle.com
re-tracker.org
rapid-load.net
positivfiles.com
topnewfiles.ru
vskachke.info
giga-files.net
gigafiles.biz
realdownload.biz
vprokachke.com
download-club.ru
downloadf.ru
softdownload-mirror1.in
softdownload-mirror2.in
softdownload-mirror3.in
softdownload-mirror4.in
softdownload-mirror5.in
softdownload-mirror6.in
softdownload-mirror7.in
softdownload-mirror8.in
softdownload-mirror9.in
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34065
  • malware fighter
Re: trojan rarc.
« Reply #3 on: June 06, 2010, 09:13:55 PM »
Hi rus,

Only detected so-far by TrendMicro: za-premium.com... malicious
If you have it on your machine, you're likely infected with a strain of the beagle.bn worm.
Thanks for reporting,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »