Hi Avast Community,
I wanted to report in the open an active threat that's currently not being monitored by any internet security services.
Many Thanks to the reddit twitch community for pointing out this site.
Update:Note the site in question has a strikethought to prevent people from visiting the sites in question, It's recommended that you do not visit any of the sites in question as the virus/bat seems to be a really nasty piece of malware that is taking over system32 and removing/tampering with boot files. (Thanks agian to the community for the analysis.)BriefThe site in question is called '{domain}/blog' and '{domain}/audiofix/', a hacker seems to have scrapped the twitch.tv/blog site which is hosted with WPEngine (A firm which uses Linode servers and not Amazon EC2 instances). The site's owner claims to provide a "brand new audio codec" by downloading an zip file containing a bat file. In addition the main stepte.ch site also includes a "system32 repairing tool" which also is a windows bat file that deletes system32. In addition the person is claiming to be "Helper of Twitch. Lead Webmaster. Sound Engineer" which is completely incorrect.
In addition the root site '{domain}' also has a system32 virus remover, Here's a virustotal scan of that bat executable.
https://www.virustotal.com/en/file/fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937/analysis/1424955640/and a Malwr scan:
https://malwr.com/analysis/ZjkxMWVkMGVjOWY1NDkwMmExZjlmMzgxMDllOGVjNzM/SHA256: fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937
MD5: 9cf75d716f6b698b5433db6bad4a2877
File AnalysisHere's a Malwr analysis of the .bat file.
https://malwr.com/analysis/MWEyZTM2M2YzNTU1NGExMDkxNzkxOTgwYTk5MTU3NWY/Here's the Virustotal analysis of the .bat file.
https://www.virustotal.com/en/file/29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e/analysis/1424954933/MD5: 0535ba5eb8dbbd884a5429c5f87b810d
SHA 256: 29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e
Only 1 anti-virus vendor has picked up that the file is harmfull, Upon decompression the file loads as a bat file.
Here's a file take from the virtual machine at malwr showing that the bat file is removing system32.
http://i.imgur.com/cjWoaoD.jpgDomain and Host AnalysisThe domain in question is registered with GoDaddy using Domain Privacy Protection. The domain was registered on 2015-02-10, The site's active DNS servers are GoDaddy defaults ns41.domaincontrol.com and ns42.domaincontrol.com
The site is being hosted at {IP} (Amazon Web Services) on an EC2 instance in US West. ASN Block: AS16509 if anyone is interested :-)