A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #354  by Jaxryley
 Sat Mar 20, 2010 2:24 am
g2412a.exe - Result: 15/42 (35.71%)
http://www.virustotal.com/analisis/7484 ... 1269005602

These microjoin exploits seem to very hard to cleanup. After executing the one below in an XP VM many other exploits are dropped including not one but two rogues in Antivirus Soft and Antimalware Doctor.

After running a couple of cleanup tools many exploits are found but on reboot the XP VM boots into a bsod then on reset I need to select "Last known config that worked" in order to boot.

A few errors pop up at reboot.

g2412a.exe needs to be left running for a while to get all the downloads and many pron sites may show up as well.

Pass infected
Size: 2018 KB
 #356  by EP_X0FF
 Sat Mar 20, 2010 4:06 am

if somebody interested, in attach you will find teste_p1.exe dropped and executed by this trojan.
password: malware
(274.03 KiB) Downloaded 67 times
 #357  by Jaxryley
 Sat Mar 20, 2010 5:25 am
Just to update - I ran this exploit again today and it's only downloading one rogue "User Protection" which is new variant of "Paladin Antivirus".
 #358  by kmd
 Sat Mar 20, 2010 6:56 am
can you attach this fake av also in pass-protected archive?
thank you.
 #363  by Jaxryley
 Sat Mar 20, 2010 9:35 am
User Protection installers and Programs Folder below.

Pass infected
Size: 8228 KB
 #364  by Jaxryley
 Sat Mar 20, 2010 9:47 am
Paladin Antivirus installer with a virut embedded.

Also installers for Antivirus Soft and Antimalware Doctor that were dropped by the microjoin exploit yesterday.

Pass infected
Size: 1321 KB
 #365  by EP_X0FF
 Sat Mar 20, 2010 9:49 am
Thank you for links :)