Topic: Malware and Spam emails : (Suspicious sign in prevented) (Read 1209 times)
Thanks for posting this. Do you have any idea how that got your E-Mail? Hopefully, I didn't get one.
Ahh very clever little beast that is. Thanks for putting the effort into finding this out and posting it 
Never open messages like that one nor download anything that is asked there.
same thing happened to me last march 21,2014
google and yahoo pop up the same message at the same time
google and yahoo pop up the same message at the same time
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not 
Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (there is a process checker on comodo.com)
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not
Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (http://www.comodo.com/business-security/network-protection/cleaning_essentials.php)
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not
I got a mail same as other members as you can see here it looks like a simple phishing mail with title "Suspicious sign in prevented" but it's more than that.
Email is probably being sent via a php mailer from a hacked server (wohnmobileunited.de)
If you move your mouse on button you will see a shortlink, I copied that link and it redirected me to phishing cum landing page that gives warning about outdated firefox and tries to install a xpi file by running it
XPI file is hosted on dropbox.
Now I tried to download that addon, renamed .xpi to .zip and exported it's content.
Voila.. There's a exe in it, which is a custom bot cum password stealer that downloads more files on your pc automatically.
But how it's getting executed? Answer is in javascript file.
It connects to a domain and some servers.
zuzuri.x64.me 79.172.242.88
X64.me is a free dns domain https://www.dnsdynamic.org
Virus scan report. (Most antiviruses are unable to detect as it's Crypted.
https://www.virustotal.com/en/file/02293d8b45e69f4dc0d69eb85553c5b6f97c47789689bc03bc0af729f4b25e0d/analysis/1396215000/
You can see full analysis here.
https://malwr.com/analysis/MjZhN2ExYzQ2MzBmNGI5ZDhiNjExNzM4NTQ1MGM1YjA/
Now when you try to find more info about that zazuri.x64.me domain, you will get scan links of other malwares that includes .scr file and a pdf (pdf exploit)
ttps://malwr.com/analysis/MDIyZGFkNGNmMGM4NGFhZmFjMGM1OTdiMTY3YmJkNGM/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AGU/detailed-analysis.aspx
Email is probably being sent via a php mailer from a hacked server (wohnmobileunited.de)
If you move your mouse on button you will see a shortlink, I copied that link and it redirected me to phishing cum landing page that gives warning about outdated firefox and tries to install a xpi file by running it
XPI file is hosted on dropbox.
Now I tried to download that addon, renamed .xpi to .zip and exported it's content.
Voila.. There's a exe in it, which is a custom bot cum password stealer that downloads more files on your pc automatically.
But how it's getting executed? Answer is in javascript file.
It connects to a domain and some servers.
zuzuri.x64.me 79.172.242.88
X64.me is a free dns domain https://www.dnsdynamic.org
Virus scan report. (Most antiviruses are unable to detect as it's Crypted.
https://www.virustotal.com/en/file/02293d8b45e69f4dc0d69eb85553c5b6f97c47789689bc03bc0af729f4b25e0d/analysis/1396215000/
You can see full analysis here.
https://malwr.com/analysis/MjZhN2ExYzQ2MzBmNGI5ZDhiNjExNzM4NTQ1MGM1YjA/
Now when you try to find more info about that zazuri.x64.me domain, you will get scan links of other malwares that includes .scr file and a pdf (pdf exploit)
ttps://malwr.com/analysis/MDIyZGFkNGNmMGM4NGFhZmFjMGM1OTdiMTY3YmJkNGM/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AGU/detailed-analysis.aspx
Jump to: