Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Trojan posing as Codecs InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trojan posing as Codecs

Published: 2007-04-22
Last Updated: 2007-04-22 00:33:00 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
One of readers (Gary) has come across a forum with posting on free porn movies links:
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to 85.255.119.210)

However, clicking on the link will open to another site in an iFrame:
http : //www. x-ratedclips.com/bdsm/dp/s5g2/movie1.php?bgcolor=000000&border=3C4553&id=1651
(Resolves to 81.0.250.226)

The x-ratedclips.com page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".

The "activex object" link is
http: // www. amultimediasource.com/download.php?id=1651
(Resolves to 85.255.113.222)

Note: 85.255.112.0 - 85.255.127.0 is a known source of evil (http://isc.sans.org/diary.html?storyid=1811)

Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:

AntiVir 7.3.1.53 04.20.2007 DR/Zlob.Gen
AVG 7.5.0.464 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
Fortinet 2.85.0.0 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 4.0.2.24 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New Malware.as
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 6.1.6.095 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen
Keywords:
0 comment(s)
Diary Archives