New Malware P2P-Worm.Win32.Palevo.aefb

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

New Malware P2P-Worm.Win32.Palevo.aefb

Postby roberto7888 » Mon May 03, 2010 10:44 am

Hello,
I received a new malware, the link is mynet-com.com/tube.swf . It tries to download a fake update of Adobe Flash: FlashPlayer10.0.45.2.exe
It is not detected by the antivirus softwares. I sent complaints to united-domains AG, Key Systems GMBH and Cert Germany.

see there:
http://www.virustotal.com/fr/analisis/c ... 1272873252
http://virscan.org/report/2c3ba00e267e6 ... 4967f.html
http://anubis.iseclab.org/?action=resul ... ormat=html
http://www.threatexpert.com/report.aspx ... 78d18e5406


DOMAIN: MYNET-COM.COM
RSP: united-domains AG
URL: hxxp://www.united-domains.de/

ICANN Registrar:KEY-SYSTEMS GMBH
Created:2010-04-25
Expires:2011-04-25
Updated:2010-04-25
Registrar Status:ok
Name Server:NS.UDAGDNS.DE (has 208,166 domains)
NS.UDAGDNS.NET (has 369,107 domains)
Whois Server:whois.rrpproxy.net

owner-contact: P-AGR739
owner-organization: Senor
owner-fname: Abdullah
owner-lname: Rahnuma
owner-street: Gerberau 1
owner-city: Freiburg
owner-zip: 79098
owner-country: DE
owner-phone: +49.1774722035
owner-email:

admin-contact: P-AGR739
admin-organization: Senor
admin-fname: Abdullah
admin-lname: Rahnuma
admin-street: Gerberau 1
admin-city: Freiburg
admin-zip: 79098
admin-country: DE
admin-phone: +49.1774722035
admin-email:

tech-contact: P-NCT21
tech-organization: united-domains AG
tech-title: Herr
tech-fname: Hostmaster
tech-lname: Hostmaster
tech-street: Gautinger Strasse 10
tech-city: Starnberg
tech-zip: 82319
tech-country: DE
tech-phone: +49.8151368670
tech-fax: +49.81513686777
tech-email:

billing-contact: P-JKH21
billing-organization: united-domains AG
billing-title: Herr
billing-fname: Billing
billing-lname: Master
billing-street: Gautinger Strasse 10
billing-city: Starnberg
billing-zip: 82319
billing-country: DE
billing-phone: +49.8151368670
billing-fax: +49.81513686777
billing-email:

nameserver: ns.udagdns.de
nameserver: ns.udagdns.net
Last edited by roberto7888 on Thu May 06, 2010 3:50 am, edited 1 time in total.
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: New Malware

Postby AlphaCentauri » Mon May 03, 2010 5:03 pm

Are you registered at Spywarehammer.com? Some of the folks there like to get copies of stuff like that to take it apart and see what it does.

I think this is a public forum:
http://spywarehammer.com/simplemachines ... board=81.0

You have to zip the sample with password protection. The password must be "infected" You can go ahead and leave the file extension as .exe.txt when you zip it -- they'll figure it out.

ZipGenius is a good free utility if you don't have one:
http://download.cnet.com/ZipGenius-Stan ... 79818.html
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: New Malware

Postby roberto7888 » Tue May 04, 2010 4:12 am

The link mynet-com.com/tube.swf is inactive. It is redirected to united-domains.de/webspace/webspace.html

Thanks united-domains AG, the host.
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: New Malware

Postby roberto7888 » Tue May 04, 2010 5:07 am

I have a reply from Domain Abuse Manager Key-Systems GmbH.

Date: Tue, 04 May 2010 10:55:59 +0200
From: Domain Abuse Manager Key-Systems GmbH <abuse@key-systems.net>
Subject: Re: Removal request: mynet-com.com
Return-Path: abuse@key-systems.net

Dear roberto7888,
thank you for your message. The corresponding domain has already been deactivated by our reseller.

--

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Prager Ring 4-12
DE-66482 Zweibruecken
Tel.: (edited)
Email: **** [at] key-systems. net (Email edited)

Web: hXXp://www.key-systems.net / hXXp://www.RRPproxy.net
hXXp://www.domaindiscount24.com / hXXp://www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
hXXp://www.key-systems.net/facebook
hXXp://www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 1861 - Zweibruecken
V.A.T. ID.: DE211006534
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: New Malware

Postby roberto7888 » Thu May 06, 2010 3:44 am

It is now well detected by Antivirus softwares. :D

http://virscan.org/report/71cb7ea13da95 ... 45ddb.html
File information
File Name : FlashPlayer10.0.45.2b.exe
File Size : 423923 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6d893fe3bd58ba53e37ba89b63f05db3
SHA1 : cab725adb89eaa0fcb0d41c5d9f419209e26adf0
Scanner results
Scanner results : 50% Scanner(s) (18/36) found malware!
Time : 2010/05/06 09:38:38 (CEST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100506053122 2010-05-06 P2P-Worm.Win32.Palevo!IK 6.878
AhnLab V3 2010.05.06.00 2010.05.06 2010-05-06 - 3.171
AntiVir 8.2.1.236 7.10.7.46 2010-05-05 DR/Palevo.aefb 0.256
Antiy 2.0.18 20100505.4326784 2010-05-05 - 0.119
Arcavir 2009 201005051803 2010-05-05 Heur.W32 0.081
Authentium 5.1.1 201005060256 2010-05-06 - 1.626
AVAST! 4.7.4 100505-1 2010-05-05 - 0.025
AVG 8.5.793 271.1.1/2856 2010-05-06 - 0.455
BitDefender 7.81008.5764056 7.31529 2010-05-06 - 3.819
ClamAV 0.95.3 10928 2010-05-06 Worm.Palevo-7555 0.073
Comodo 3.13.579 4777 2010-05-06 Heur.Suspicious 1.243
CP Secure 1.3.0.5 2010.05.06 2010-05-06 - 0.089
Dr.Web 5.0.2.3300 2010.05.06 2010-05-06 Win32.HLLW.Lime.307 7.112
F-Prot 4.4.4.56 20100506 2010-05-06 - 1.669
F-Secure 7.02.73807 2010.05.06.04 2010-05-06 P2P-Worm.Win32.Palevo.aefb [AVP] 11.358
Fortinet 4.0.14 11.777 2010-05-05 W32/Palevo.ACF6!worm 0.210
GData 21.101/21.34 20100506 2010-05-06 P2P-Worm.Win32.Palevo.aefb [Engine:A] 7.581
Ikarus T3.1.01.84 2010.05.06.75792 2010-05-06 P2P-Worm.Win32.Palevo 6.117
JiangMin 13.0.900 2010.05.06 2010-05-06 Trojan/StartPage.bim 1.205
Kaspersky 5.5.10 2010.05.06 2010-05-06 P2P-Worm.Win32.Palevo.aefb 0.160
KingSoft 2009.2.5.15 2010.5.6.11 2010-05-06 - 0.701
McAfee 5400.1158 5973 2010-05-05 - 0.019
Microsoft 1.5703 2010.05.05 2010-05-05 Worm:Win32/Rimecud.B 6.522
Norman 6.04.12 6.04.00 2010-05-05 - 4.007
nProtect 20100506.01 8111082 2010-05-06 - 8.751
Panda 9.05.01 2010.05.05 2010-05-05 - 2.040
Quick Heal 10.00 2010.05.03 2010-05-03 - 1.661
Rising 20.0 22.46.03.03 2010-05-06 - 1.242
Sophos 3.07.1 4.53 2010-05-06 W32/Palevo-O 3.253
Sunbelt 3.9.2421.2 6265 2010-05-05 Trojan.Win32.Generic!BT 8.433
Symantec 1.3.0.24 20100505.004 2010-05-05 Trojan.Mdropper 0.074
The Hacker 6.5.2.0 v00276 2010-05-05 - 0.413
Trend Micro 9.120-1004 7.148.18 2010-05-05 WORM_PEERBOT.SM 0.025
VBA32 3.12.12.4 20100504.2006 2010-05-04 Trojan.Tasman 2.984
ViRobot 20100503 2010.05.03 2010-05-03 - 0.423
VirusBuster 4.5.11.10 10.126.16/2005537 2010-05-06 - 2.753
â– Heuristic/Suspicious â– Exact
NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself.


http://www.virustotal.com/en/analisis/2 ... 1273131436
File FlashPlayer10.0.45.2b.exe received on 2010.05.06 07:37:16 (UTC)
Current status: finished

Result: 22/41 (53.66%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 P2P-Worm.Win32.Palevo!IK
AhnLab-V3 2010.05.05.00 2010.05.05 Worm/Win32.Palevo
AntiVir 8.2.1.236 2010.05.05 DR/Palevo.aefb
Antiy-AVL 2.0.3.7 2010.05.06 -
Authentium 5.2.0.5 2010.05.06 -
Avast 4.8.1351.0 2010.05.05 -
Avast5 5.0.332.0 2010.05.05 -
AVG 9.0.0.787 2010.05.05 -
BitDefender 7.2 2010.05.06 -
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.06 Worm.Palevo-7555
Comodo 4777 2010.05.06 Heur.Suspicious
DrWeb 5.0.2.03300 2010.05.06 Win32.HLLW.Lime.307
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7470 2010.05.05 -
F-Prot 4.5.1.85 2010.05.06 -
F-Secure 9.0.15370.0 2010.05.06 -
Fortinet 4.0.14.0 2010.05.05 W32/Palevo.ACF6!worm
GData 21 2010.05.06 -
Ikarus T3.1.1.84.0 2010.05.06 P2P-Worm.Win32.Palevo
Jiangmin 13.0.900 2010.05.06 Trojan/StartPage.bim
Kaspersky 7.0.0.125 2010.05.06 P2P-Worm.Win32.Palevo.aefb
McAfee 5.400.0.1158 2010.05.06 Generic.dx!spp
McAfee-GW-Edition 2010.1 2010.05.06 Heuristic.BehavesLike.Win32.Trojan.A
Microsoft 1.5703 2010.05.05 Worm:Win32/Rimecud.B
NOD32 5089 2010.05.05 Win32/Peerfrag.GI
Norman 6.04.12 2010.05.06 -
nProtect 2010-05-06.01 2010.05.06 -
Panda 10.0.2.7 2010.05.05 Trj/CI.A
PCTools 7.0.3.5 2010.05.06 -
Prevx 3.0 2010.05.06 Medium Risk Malware
Rising 22.46.03.04 2010.05.06 -
Sophos 4.53.0 2010.05.06 W32/Palevo-O
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.05.06 Trojan.Mdropper
TheHacker 6.5.2.0.276 2010.05.06 -
TrendMicro 9.120.0.1004 2010.05.06 WORM_PEERBOT.B
TrendMicro-HouseCall 9.120.0.1004 2010.05.06 WORM_PEERBOT.SM
VBA32 3.12.12.4 2010.05.05 Trojan.Tasman
ViRobot 2010.5.4.2303 2010.05.06 -
VirusBuster 5.0.27.0 2010.05.05 -
Additional information
File size: 423923 bytes
MD5 : 6d893fe3bd58ba53e37ba89b63f05db3
SHA1 : cab725adb89eaa0fcb0d41c5d9f419209e26adf0
SHA256: 293f9ff4fc56c8d558249f7abaaf39492c64b01229e4f9530525b154f92247fd
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x17D64
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x16DC8 0x16E00 6.47 b770c7f279eb9fc26ac4a87d2b12ac8f
DATA 0x18000 0x700 0x800 3.18 c4c19ca9e500cb531e93a6fc31dcb110
BSS 0x19000 0x8A9 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x1A000 0x14D0 0x1600 4.79 08b2ec6b7f09cb82de12e663d8041976
.tls 0x1C000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x1D000 0x18 0x200 0.20 17291f4d14f4488dcc09f44b431f3d22
.reloc 0x1E000 0x11C0 0x1200 6.71 68baacd130dcf39d09b27606b341bb93
.rsrc 0x20000 0x2FC8 0x3000 4.24 a5f09a58f51757f9489ffd6c16b90372

( 10 imports )

> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, AdjustTokenPrivileges
> cabinet.dll: FDIDestroy, FDICopy, FDICreate
> comctl32.dll: ImageList_Draw, ImageList_SetBkColor, ImageList_Create, InitCommonControls
> gdi32.dll: StretchDIBits, StretchBlt, SetWindowOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetDIBits, SetBrushOrgEx, SetBkMode, SetBkColor, SelectObject, SaveDC, RestoreDC, OffsetRgn, MoveToEx, IntersectClipRect, GetTextExtentPoint32A, GetStockObject, GetPixel, GetObjectA, GetDIBits, ExtSelectClipRgn, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreateFontIndirectA, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CombineRgn, BitBlt, AddFontResourceA
> kernel32.dll: GetCurrentThreadId, WideCharToMultiByte, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap, WritePrivateProfileStringA, WriteFile, WinExec, WaitForSingleObject, TerminateProcess, Sleep, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReadFile, OpenProcess, MultiByteToWideChar, LocalFileTimeToFileTime, LoadLibraryA, GlobalFree, GlobalAlloc, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTimeFormatA, GetTempPathA, GetSystemDirectoryA, GetShortPathNameA, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetFullPathNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThread, GetCurrentProcess, GetComputerNameA, GetCommandLineA, FreeLibrary, FormatMessageA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, DosDateTimeToFileTime, DeleteFileA, CreateFileA, CreateDirectoryA, CompareStringA, CloseHandle
> ole32.dll: OleInitialize, OleInitialize, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitialize
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> shell32.dll: SHGetFileInfoA, ShellExecuteExA, ShellExecuteA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHChangeNotify, SHBrowseForFolderA
> user32.dll: wvsprintfA, WaitMessage, ValidateRect, TranslateMessage, ShowWindow, SetWindowPos, SetWindowLongA, SetTimer, SetPropA, SetParent, SetForegroundWindow, SetFocus, SetCursor, SendMessageA, ScreenToClient, RemovePropA, ReleaseDC, RegisterClassA, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, MessageBoxA, LoadIconA, LoadCursorA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsIconic, InvalidateRect, GetWindowTextLengthA, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowLongA, GetWindowDC, GetUpdateRgn, GetSystemMetrics, GetSystemMenu, GetSysColor, GetPropA, GetParent, GetWindow, GetKeyState, GetFocus, GetDCEx, GetDC, GetCursorPos, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, FindWindowA, FillRect, ExitWindowsEx, EnumWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawIcon, DispatchMessageA, DestroyWindow, DestroyIcon, DeleteMenu, DefWindowProcA, CopyImage, ClientToScreen, CheckRadioButton, CallWindowProcA, BeginPaint, CharLowerBuffA, CreateWindowExA
> winmm.dll: timeKillEvent, timeSetEvent

( 0 exports )

TrID : File type identification
Win32 Executable Delphi generic (39.8%)
Win32 Executable Generic (23.1%)
Win32 Dynamic Link Library (generic) (20.5%)
Win16/32 Executable Delphi generic (5.6%)
Generic Win/DOS Executable (5.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx ... 9b63f05db3
Symantec reputation: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
ssdeep: 12288:fU9Xiuizjk4OZRxT1ZSQzCcdCkh9RA4Mw/7E:fUdHudODZlG+dRAHiE
sigcheck: publisher....: Adobe Systems Incorporated
copyright....: Adobe Systems Incorporated
product......: n/a
description..: Adobe Flash_ Player 10.0.45.2 Installation
original name: n/a
internal name: n/a
file version.: 10.0.45.2
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

Prevx Info: http://info.prevx.com/aboutprogramtext. ... 00CA9B6B56
PEiD : -
packers (Kaspersky): MoleboxUltraPatch
RDS : NSRL Reference Data Set
-


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: New Malware P2P-Worm.Win32.Palevo.aefb

Postby roberto7888 » Sat May 08, 2010 4:28 am

The link mynet-com.com/tube.swf is still active. They change its name server Address record to ns1.everydns.net [208.76.61.100], ns2.everydns.net [208.76.62.100], ns3.everydns.net [208.76.62.100], ns4.everydns.net [208.76.62.100].
It is not detected by antivirus software.
It is hosted on IP 193.2.122.52 -> Si-Cert Slovenian Computer Emergency Response Team :shock:

http://www.trusted-introducer.nl/teams/si-cert.html
http://www.cert.org/csirts/national/contact.html

http://legacytools.dnsstuff.com/tools/t ... ainterator
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: New Malware P2P-Worm.Win32.Palevo.aefb

Postby roberto7888 » Sat May 08, 2010 5:15 pm

I have a reply from dyndns.com/everydns.net. They have terminated the account. The link mynet-com.com/tube.swf is inactive.

http://legacytools.dnsstuff.com/tools/t ... ainterator

Subject: [DynDNS #1230061] Removal request: mynet-com.com
Date: Sat, 8 May 2010 20:42:12 +0000
From: "Jason Hutchins via RT" <abuse@dyndns.com>
Reply-To: abuse@dyndns.com
X-RT-Loop-Prevention: DynDNS
RT-Ticket: DynDNS #1230061
Managed-by: RT 3.8.4 (http://www.bestpractical.com/rt/)
RT-Originator: jhutchins@dyn-inc.com
Date: Sat, 8 May 2010 20:42:12 +0000


> EVIDENCE

Thank you for the more relevant information.

> http://rss.uribl.com/nic/KEY_SYSTEMS_GMBH.html

This is irrelevant.

> http://www.mywot.com/en/scorecard/mynet-com.com

This is irrelevant.

> New Malware,
> Link -> http://www.mynet-com.com/tube.swf
> see there:
> http://www.virustotal.com/en/analisis/e ... d1f111c56-
> 1273304849
>
> http://anubis.iseclab.org/?action=resul ... ormat=html
>
> http://www.threatexpert.com/report.aspx ... 78d18e5406

Ahh, perfect. This is exactly what I needed. I have terminated the account; it will take up to 15-60 minutes for the domain to stop resolving. Thank you for the report.

Regards,
Jason

--
Jason Hutchins
DynDNS Ninja Squad
http://dyn.com
http://twitter.com/dyndns
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron