Author

Topic: Malware and Spam emails : (Suspicious sign in prevented) (Read 1214 times)

hero member
Activity: 644
Merit: 500
Thanks for posting this. Do you have any idea how that got your E-Mail? Hopefully, I didn't get one.
sr. member
Activity: 476
Merit: 250
Ahh very clever little beast that is. Thanks for putting the effort into finding this out and posting it Smiley
sr. member
Activity: 392
Merit: 250
Never open messages like that one nor download anything that is asked there.
sr. member
Activity: 266
Merit: 250
if you want something do something!!!
same thing happened to me last march 21,2014
google and yahoo pop up the same message at the same time
hero member
Activity: 714
Merit: 500
NEED CRYPTO CODER? COIN DEVELOPER? PM US FOR HELP!
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not Huh
Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (there is a process checker on comodo.com)
I didn't install that plug in my computer but will make sure to do a check with the process checker. My running avast  atm and have malwarebytes pro but they both showed my system is clean so maybe I should calm down and stop getting so finicky about it.
legendary
Activity: 1274
Merit: 1004
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not Huh
Install any av that detected it successfully on virustotal and if you have installed that xpi addon your pc is probably infected. You can download malware byets startup lite and look for any random startup entry and check running process (http://www.comodo.com/business-security/network-protection/cleaning_essentials.php)
hero member
Activity: 714
Merit: 500
NEED CRYPTO CODER? COIN DEVELOPER? PM US FOR HELP!
Omg so it was more then phishing. No antivirus can detect it ok I understand it but there has to be some way possible to remove it isn't there any??? Plus how to check if its running in my system or not Huh
legendary
Activity: 1274
Merit: 1004
I got a mail same as other members as you can see here it looks like a simple phishing mail with title "Suspicious sign in prevented" but it's more than that.
Email is probably being sent via a php mailer from a hacked server (wohnmobileunited.de)


If you move your mouse on button you will see a shortlink, I copied that link and it redirected me to phishing cum landing page that gives warning about outdated firefox and tries to install a xpi file by running it


XPI file is  hosted on dropbox.

Now I tried to download that addon, renamed .xpi to .zip and exported it's content.


Voila.. There's a exe in it, which is a custom bot cum password stealer that downloads more files on your pc automatically.
But how it's getting executed?  Answer is in javascript file.




It connects to a domain and some servers.
zuzuri.x64.me    79.172.242.88

X64.me is a free dns domain https://www.dnsdynamic.org

Virus scan report. (Most antiviruses are unable to detect as it's Crypted.
https://www.virustotal.com/en/file/02293d8b45e69f4dc0d69eb85553c5b6f97c47789689bc03bc0af729f4b25e0d/analysis/1396215000/

You can see full analysis here.
https://malwr.com/analysis/MjZhN2ExYzQ2MzBmNGI5ZDhiNjExNzM4NTQ1MGM1YjA/

Now when you try to find more info about that zazuri.x64.me domain, you will get scan links of other malwares that includes .scr file and a pdf (pdf exploit)

ttps://malwr.com/analysis/MDIyZGFkNGNmMGM4NGFhZmFjMGM1OTdiMTY3YmJkNGM/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AGU/detailed-analysis.aspx

Jump to: