Hi all it seems a lot of you have started to get infected on facebook, infected people starts by sending people on their friendlist a link on which there’s a nice pic of a video with a lady with a cute cleavage, see image:
When you click on the link, you shall get an “update” being downloado n your machine, dependingo n your browser, it will be e.g Google Update 4.exe which gets downloaded and tries to infect your machine, Ofcourse, for the Gods like me such method of trying to infect me is futile and makes me laugh, but hey, a lot of you seems to be infected with that, here for example, my friend kennyย got infected:
This file being downloaded is detected by some Antiviruses but goes undetected by others, e.g AVG, Fprot, Microsoft, Sophos etc do not detect it.
writes to these files:
C:\7b6e9c8188250160728283990137717993165dc1ac395ba22e42acc516fd4739
C:\WINDOWS\system32.exe
C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\Service Manager.exe
This little piece of shit is pretty wise, it tries to see if you are debugging it, if you are it tries to bring you to another routing, it uses DeviceIoControl to talk to device drivers (reminds me of the ask.com installer which shows simillar abilities)
It then harvest various informations via these:
- http://whos.amung.us/swidget/nexusexem
- http://us1.science/read/ini.php
- http://us1.science/read/conf.php
So if you were a really horrible hax0r who wanted to be leet, you would deface that box :D.
Note, a interesting thing to do would be to run this on a vm, then wireshark/tcpdump GETs that are sent to those links ๐ .. would be a good starting point to start giving whoever wrote this application wrong result, a bit like hacking the hacker :p. Though in no way this guy is a hacker ๐
Yes you can get more when digging into that, e.g have a look at https://m2-crush.com/234g/ca.php and https://us1.science/ALL.js
Ohh well there’s lots of interesting stuffs on that server, boring hax0r, but i need to pee, can’t hold for long, gtg!
Oh yes, I almost forgot, how to clean up?
you can allways do a housecall: http://housecall.antivirus.com, run the online virus scan from there.
Wrote this pretty quickly, didn’t have time to check my english.
Sincerely,
The Eldergod!
poor kenny
Oh, he is rich!