File details
</h4>Filename: File720.exe
File size: 19456 bytes
MD5: ab3ff449d2cf83f2b79d3bc9bfede8ae
SHA1: dc7c25751529a615bdc47e3679d9b2d5847cff37
PEiD: -
<h4>QUOTEFile file720.exe received on 04.26.2008 00:44:14 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.25 -
AVG 7.5.0.516 2008.04.25 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.25 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.25 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.25 -
F-Prot 4.4.2.54 2008.04.25 -
F-Secure 6.70.13260.0 2008.04.25 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.25 -
Ikarus T3.1.1.26.0 2008.04.25 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3055 2008.04.25 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.25 Suspicious file
Prevx1 V2 2008.04.26 -
Rising 20.41.42.00 2008.04.25 -
Sophos 4.28.0 2008.04.25 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.292 2008.04.25 -
VBA32 3.12.6.5 2008.04.25 -
VirusBuster 4.3.26:9 2008.04.25 -
Webwasher-Gateway 6.6.2 2008.04.25 -
What happend ?
</h4>I wanted to spend a calm evening without malware, sploits, infections etc ... just reading some stuff on the web like ya all when suddenly PG popped up with a warning ...
I can't resist of course, I had to discover why this file arrived on my PC. First of all stop all browsing activity and take a peek at the logs. Working backwords did lead to the source of the alert ... an Interstitial Advert served by adbrite - which I never saw btw due to the sploit. (See screenshot below under IP details)
As we see on the (shorted) packet captures above, the URL / website to display is globalfreightonline.com * DO NOT VISIT THIS URL !!! *
Network capture shows the presence of an encrypted script on the homepage.
Full script.
Which decodes to
Which decodes to an iframe
From there we hit 13fr.info/forum/getexe.exe?o=3&t=[removed]&i=[removed]&e=[removed]
<h4>
globalfreightonline.com - 75.125.60.2
</h4>The website seen through the Interstitial Advert.
Website Title: Global Freight Forwarders Group
ICANN Registrar: ENOM, INC.
Created: 2008-02-01
Expires: 2009-02-01
Name Server: NS1.SITEGROUND222.COM (has 538 domains)
Name Server: NS2.SITEGROUND222.COM
Whois Server: whois.enom.com
Server Type: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.4mm
IP Location - Texas - Dallas - Theplanet.com Internet Services Inc
Reverse IP: 498 other sites hosted on this server.
Registration Service Provided By: siteground.com
Contact: newdomains@siteground.com
Domain name: globalfreightonline.com
Registrant Contact:
Susan Olson (newdomains@siteground.com)
+1.9063412555
Fax:
1141N Oak Street
Manistique, MI 49854
US
<h4>
13fr.info - 78.129.166.45
</h4>Website Title: 13fr.info
Created: 2007-09-27
Expires: 2008-09-27
Whois Server: whois.afilias.info
Server Type: Apache
IP Location - Italy - Feelitaly Llc
Domain ID:D20041624-LRMS
Domain Name:13FR.INFO
Created On:27-Sep-2007 09:12:31 UTC
Last Updated On:27-Nov-2007 02:22:51 UTC
Expiration Date:27-Sep-2008 09:12:31 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:OK
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.: