Help - Search - Members - Calendar
Full Version: Two newer malware files on MSN
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
Retired
Jan 27 2009, 10:06 PM
Here we go again! diablo.gif
CODE
http://gaedeg.bay.livefilestore.com/y1pMM0vqrBQTGnaCbwLKWI7R4QcxpLz76inefxR0-iF2Kt9wpdXRbtOchw-F1PKNj-Hc6ScWGtwp48/svex.gif

http://gaedeg.bay.livefilestore.com/y1pMM0vqrBQTGlFqwqfW5BSzP-12XTzKfNIX7RL9bVozr9sMTduV3LStqGzbsfcXjxZbWpIYhk33dU/smail.gif


I think MS should make a donation to BISS for finding these! smile.gif

Retired
Kimberly
Jan 27 2009, 11:05 PM
thx, will fw them and thanks for keeping up with these files Retired. smile.gif

Cheers,

Kim
Retired
Jan 28 2009, 10:25 PM
Here's two more:
CODE
http://53rclq.bay.livefilestore.com/y1p5KLbTqqS33xXRS9iB4ecyqE1FNDvORzgrciyUOaoc9_RjzASFipUhOrvxouxf_EVN10kg0PzEeJpS
1TYtkTuCA/img70.gif

http://53rclq.bay.livefilestore.com/y1pKnax9A9sEefHKvInv9xxlHHikFfUGHB2tmKYf73UyByGdkMopY_8FHFFxybbDiOQL5JRzsiRwWs/img501.gif


I hereby request that Windows Defender start detecting these! smile.gif

Retired
Kimberly
Jan 29 2009, 12:16 AM
Thx Retired, FW to takedown.

QUOTE
I hereby request that Windows Defender start detecting these!
One thing you have to know about such files, they are often rebuild every day to evade detection, common practice lately wink.gif
Retired
Feb 2 2009, 12:44 PM
Just found six more: sad.gif
CODE
http://d6if0w.bay.livefilestore.com/y1pNMdxWSByqUNk-tBVqk-Ho_3DwYMXPFQ0wle4vE_LiwkcuiZd9t0yQpyw_gH-1g6cj9IXa7fDT6o/windowsupdate.mdb

http://d6if0w.bay.livefilestore.com/y1pqJ-nBL1FiiITEHikKP4bissSQ7sk_tUgDyooxdPWS7ipPg87RO9s_EWFLCs5D-Zm6nRi5wNy4fY/a.mdb

http://d6if0w.bay.livefilestore.com/y1p181pCOoc3lr71cMLK1_Rg5s_dznVhaIa6_5qFgCmXUiYJ6pL6IPvCvLYQzZ6EB5bHtt-_bebgSU/s.mdb

http://d6if0w.bay.livefilestore.com/y1ppmUBaM9tKjnQTBWdYXB5FmZV-OecgoJvKrj-SblLdR0NTdOVQHpc7Y6Hs25AeyO8oCygMDV15h4/m.mdb

http://d6if0w.bay.livefilestore.com/y1pa_U1wbrZWoUd78909-92S8-irz-ewG4Jq24lJhGUNx-gx5fDbN-Z7SsEWse8CURnRdWAP5RMDv0/winlogon.mdb

http://d6if0w.bay.livefilestore.com/y1pGcs1j2vK3HMTIOuUcM0RJ9xOxw6Y8yxDJiKjrJJmwcyY1R_Lj_DVJpvRoHx86cyx05x24fkfvVo/wab.mdb


Retired
Retired
Feb 2 2009, 02:33 PM
Where there's smoke, there's fire:
CODE
http://ghsmjg.bay.livefilestore.com/y1pahQ4ydEElFx9m7OuyBD3jh0vL7fRvsAtZ-5D2CqNo1vEd-A05VSCYNBUBepE2gdsiSEit6-Bo7ye4X6uvELTSQ/img501.gif

http://ghsmjg.bay.livefilestore.com/y1pEyH26KD6AVhNAMBJRiSriTPyirQUacXn0W9q_NmoK2HaRD_O47JzkN6wW0iO1_YuADl3oOFnSYB_n
rdtq9uWDw/img701.gif


Retired
Retired
Feb 2 2009, 04:15 PM
Some of the older ones I thought had been deleted are in fact still there:
CODE
http://53rclq.bay.livefilestore.com/y1pKnax9A9sEefHKvInv9xxlHHikFfUGHB2tmKYf73UyByGdkMopY_8FHFFxybbDiOQL5JRzsiRwWs/img501.gif

http://53rclq.bay.livefilestore.com/y1p5KLbTqqS33xXRS9iB4ecyqE1FNDvORzgrciyUOaoc9_RjzASFipUhOrvxouxf_EVN10kg0PzEeJpS
1TYtkTuCA/img70.gif

http://gaedeg.bay.livefilestore.com/y1pMM0vqrBQTGnaCbwLKWI7R4QcxpLz76inefxR0-iF2Kt9wpdXRbtOchw-F1PKNj-Hc6ScWGtwp48/svex.gif

http://gaedeg.bay.livefilestore.com/y1pMM0vqrBQTGlFqwqfW5BSzP-12XTzKfNIX7RL9bVozr9sMTduV3LStqGzbsfcXjxZbWpIYhk33dU/smail.gif

http://x2tsug.bay.livefilestore.com/y1pz3hrvHB7kmd5AedLKA7t5Anvvyo9TAai2hJV8vILW0zq2D8B_cFW7gnQblQ_TJLW1aRo2EBH8EXZp
lP0uLeVaA/svex.gif

http://x2tsug.bay.livefilestore.com/y1pcUU2d0WOut0vXicj5ILzn8Ky-LsVjD6mDHR2NYKwsHfiPZ0r956sraursXEquevgJTKtk01cQ9itct-tRLPWHA/smail.gif

http://x2tsug.bay.livefilestore.com/y1pz3hrvHB7kmd5AedLKA7t5Anvvyo9TAai2hJV8vILW0zq2D8B_cFW7gnQblQ_TJLW1aRo2EBH8EXZp
lP0uLeVaA/svex.gif

http://x2tsug.bay.livefilestore.com/y1pcUU2d0WOut0vXicj5ILzn8Ky-LsVjD6mDHR2NYKwsHfiPZ0r956sraursXEquevgJTKtk01cQ9itct-tRLPWHA/smail.gif

http://qj3guq.bay.livefilestore.com/y1pE-exeJQA6zHhjGK8i-YS4oAUENXfkH56gojwzWWa4gH_mDOHHzp7Q4AjfiUoP9kyVPbFt134du8_fDFBzA3doQ/cnxo.txt


Sorry to be the bearer of bad news.

Retired
Kimberly
Feb 2 2009, 05:19 PM
Thanks Retired, I'll send mail asap.
Retired
Feb 2 2009, 10:22 PM
Two more hot off the presses:
CODE
http://ghsmjg.bay.livefilestore.com/y1p1UoxJZcvgbbJhEnTObCZy93Fm_cDFMbnffwVPdQ-Vvu1fjmTkktaHJsixMwbvWvF45LyJKa8WVMDSciIQV0wjQ/img702.gif

http://ghsmjg.bay.livefilestore.com/y1p_ZgYO3Cs4JupwYCHHBdwlRGBdzwEPro2CvZXRquhfw8OxbqidyGe_eoe7fn6gcUz4SoVkMI4IZmva
DRjMi5mfQ/img502.gif


Retired
Kimberly
Feb 2 2009, 10:53 PM
Ok sad.gif
FW, thx Retired.
Retired
Feb 3 2009, 02:05 PM
Two new ones:
CODE
http://dwy5eq.blu.livefilestore.com/y1pwkt608zMBsY6VQvlG9w5mPCHVSjdIdbuCQydZ0Hi3-CV5gC5mQuzhFmASNZ9xjO_i1gR8FQ6HFvNb-62HNb9QA/album_master.exe

http://dwy5eq.blu.livefilestore.com/y1pK-Ny5-Rg5zVY64bnv8oEVwP79rHNVFxu3cIxlU4QXYvnR1XmFY0qqnfe6SwOHVE54zerORPahsH0I0RZrOzApA/killador.exe


The first one is a big bad Banker trojan.

Retired
Retired
Feb 3 2009, 09:10 PM
Two more, but the second one cannot be downloaded (not found):
CODE
http://dwy5eq.blu.livefilestore.com/y1pIBFIsl0ur0Rwe2xTQfcOaTiNHoGHXOwmKV0KaLHD5LDsogG-WZ15-dpd_59QncIKkuAIlulE0wQIFDvEjTk36g/albuns.mpg.exe

http://dwy5eq.blu.livefilestore.com/y1pSgj3Vtsl42upblXcpBkiUs2_jTxxynJXzcn2KlVTonOJK55EE928gCD-WfQyx0P6igAnlF1-pux1sLmiKy724Q/minifotos.exe


Retired
Retired
Feb 4 2009, 03:20 PM
Two more:
CODE
http://dpecfg.bay.livefilestore.com/y1p7Z5NEX_SqY1z2db8m0BQg8lg8gyy31tFMIqFaUS-_C1tEiMeozhfb8PXrQwFWi6Sv3V4rI4ahzgoXumqfSmJqA/img502.gif

http://dpecfg.bay.livefilestore.com/y1p7dZapXkD2wST5sOjdBrB8w9ElJUbwnXqQqctA8Hc0ih-El7Qb76h468xkz9LVuWH2djVDuHoZGC-RLkXTntbFA/img702.gif


Retired
Retired
Feb 5 2009, 03:46 PM
More malware:
CODE
http://8zrvva.blu.livefilestore.com/y1pWt63-jsVgUQrbDffMymIvABKhp5TfIOE8XdMNY9SrJFhF7ENH61dEYJP2sPiEKNwmjRJNz1Dm68IS_r_AObxR
w/dddeed..exe

http://8zrwva.blu.livefilestore.com/y1pVeNRpktr-os3PRL4nFWZ9Ki6RjnJxmnGkDwZM7TXbkhcmeLb2ypOA1_6jn_r9Nx2Tg-JbSd7yBQ/topcat.exe


I have discovered that the filenames can be anything you like: smile.gif
CODE
http://8zrwva.blu.livefilestore.com/y1pVeNRpktr-os3PRL4nFWZ9Ki6RjnJxmnGkDwZM7TXbkhcmeLb2ypOA1_6jn_r9Nx2Tg-JbSd7yBQ/random.jpg

http://8zrwva.blu.livefilestore.com/y1pVeNRpktr-os3PRL4nFWZ9Ki6RjnJxmnGkDwZM7TXbkhcmeLb2ypOA1_6jn_r9Nx2Tg-JbSd7yBQ/whatever.exe

http://8zrwva.blu.livefilestore.com/y1pVeNRpktr-os3PRL4nFWZ9Ki6RjnJxmnGkDwZM7TXbkhcmeLb2ypOA1_6jn_r9Nx2Tg-JbSd7yBQ/billgates.exe


Retired
Retired
Feb 14 2009, 03:05 AM
Two more:
CODE
http://mnsexa.bay.livefilestore.com/y1p8NGTU6nUU7VH8DbzUiU3gIiKvl4w-kbmVWGmEAU6bI1bd3N5Vv5fxC5pEhW11nbFE7DO56fEcZ0/Mnsnsn.exe

http://admunq.blu.livefilestore.com/y1p5E8Lb0aGuEkFIEWEXMnk-noUqURCZtRLe0EbKoHPsbay8Y3V5noM7EEsosASFoe7aJWndCKzCyZvKi6wUMgx6g/killador.exe


One of them is detected by Microsoft:
http://www.virustotal.com/analisis/d1f4813...35217a12a069b52

But the other is not:
http://www.virustotal.com/analisis/5380771...c68307a1ecc5744

They must not be using Microsoft Forefront Security on MSN servers. laugh.gif

Glad Bluetack is back!
Kimberly
Feb 14 2009, 05:19 AM
Thanks Retired, forwarded.

Actually those files are on Skydrive accounts, so the owner of the account does upload them.
Retired
Feb 22 2009, 07:48 PM
QUOTE (Kimberly @ Feb 14 2009, 05:19 AM) *
Thanks Retired, forwarded.

Actually those files are on Skydrive accounts, so the owner of the account does upload them.

Here's a few more:
CODE
http://hxliha.blu.livefilestore.com/y1p79VjMbgNboMVkIqI8k-P-W9Y3Xm1K89_GLiXQVo-7zeX9sBr51K6lN_VfLfrY60QOu89fJN27kg/up.txt

http://hxliha.blu.livefilestore.com/y1pNoVfNAkzBrOx-xeJdtgzZkitzHcSBHFGJCV8pPty2Xpxj_Y6fCg7iNrHddswLAqAeoTVkVZ8yrQ/oct.txt

http://hxliha.blu.livefilestore.com/y1pNoVfNAkzBrOg6T3xDy5co4WzmgdVqxzU-CYJ2jLEbRRAIcqfassebt7_nl2oupS4ETaVlUch9pg/ms.txt


Is MS interested in these? If not, I will stop posting them.
Kimberly
Feb 23 2009, 07:17 AM
Thx Retired. Yes MS is interested in these files, keep up the good work. smile.gif
Retired
Feb 23 2009, 12:26 PM
QUOTE (Kimberly @ Feb 23 2009, 07:17 AM) *
Thx Retired. Yes MS is interested in these files, keep up the good work. smile.gif

Okay, just checking. smile.gif Here's a few more:
CODE
http://jkyuzq.blu.livefilestore.com/y1pR7eBa13FvdVXwyTdy2iskQ1kl5cJLMzjXHHDT5Fe0HkzDm5l_fUPsUh8C9dkrct2GVPeK89Hm2dQg
ZGKqw0fjA/foto.jpg.scr

http://zzz6ww.bay.livefilestore.com/y1pCyh1HdgNR5PKYocRtpZqG16t5YW2WVofdcDNk_vZ3QCiGVqgRBa1ZwPW9ORoVV2gtp_6JyqpZFc/itsec.xml

http://zzz6ww.bay.livefilestore.com/y1pNbkF16gP9ghsB_ftM_L5C2YMkNHQmCwUH1KZ2DOpVezJbGpidJbJbi2rLe1K-eqfDfWLJm2tg-E61tdM5Tkffg/bblog.xml
Kimberly
Feb 23 2009, 04:45 PM
Thx Retired, forwarded.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.