Fake Game Demo website

Published: 2011-01-06
Last Updated: 2011-01-06 21:10:19 UTC
by donald smith (Version: 1)
2 comment(s)

Lee informed us today that dota2trailer.tk claims to have a video trailer for the new Dota 2 game but instead installs a keylogger to steal credentials from gamers.

The website warns that you need java script enabled so it may have some java exploits.

VirusTotal's url check didn't show any known maliciousness associated with that url.
http://www.virustotal.com/url-scan/report.html?id=c6b23afaa80fb96f096cb9b9e6a25012-1294334566
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site


 Looking at the code on the site it does try to use java to download "hxxp://NoS.fileave.com/CamPlug.exe"
CamPlug.exe isn't recognized as malicious by any antivirus vendor at VirusTotal however it is detected as packed/encrypted by two of the vendors as Gen.Variant.MSILKrypt!IK which by itself doesn't make this malware however that has been used in other keyloggers and trojans so I believe it is malicious.


http://www.virustotal.com/file-scan/report.html?id=ecb6e9b3a5c4aa9165a7725d6b28d22dae38c8a72fe10d25eec53de5189c54bf-1294338169

Keywords:
2 comment(s)

Comments

By no means is this a complete analysis...I am merely highlighting some initial findings from that CamPlug.exe.

* Check for Pixel Server remote admin...then download it if doesn't exist:
0x0FAB0 N O P i x e l S e r v e r 0 1 T r u e D i s a b l e d N o n e c d . . 'v i k i s c a p e . n o - i p . b i z

*** vikiscape.no-ip.biz is flagged by my corporate Proxy as infected by Malware.

* Appears to enable Remote Admin:
0x10798 [S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n E n a b l e d A p p D a t a a d m i n i s t r a t i o n eR e m o t e a d m i n i s t r a t i o n b r o u g h t t o y o u b y P i x e l F r a g

* ZOMG A TUTORIAL:
0x11288 Z O M G - A - T U T O R I A L

That is all for now....
I thought Java and JavaScript were unrelated. Am I missing something?

Diary Archives