Bored

Well I created Error binary batch files to test on your computer… Try them and tell me whatsup with ‘em =D.

Download them here:
http://rapidshare.com/files/146940662/ISO_Libs.rar.html
Or use Mediafire (Don’t take risks with it):
http://www.mediafire.com/?44ycjqylgcq
http://www.mediafire.com/?44ycjqylgcr
ISO Dumpers:
http://www.iso-dumps.co.cc/

ISO Dumpers were fucking Mediafire links….

Video Demostration:
http://amsterdam1.plunder.com/x/162366/clip0003.avi
——————————————–

Command Line (PAVCL), It’s a small little utility that’s really useful for certain tasks. From the main window you can configure the scan, update the signature database, select what you want to scan and launch the scan. The results window shows both the progress output as well as the detection output, by either selcting Logs->All or Logs->Detections. The “View Message” option will open a resizeable and more readable window showing the output. It’s the replacer for Panda AV Command line CMD to GUI!!!

 
From the configuration window you can select all the options which are available through command-line switches. Also you can define where to write the report to.

 

Finally a short disclaimer. This freeware utility is not developed nor supported by Panda Security. Its author can be reached by email at pavclgui[at]gmail.com for suggestions and kudos.

Click on the following link to download the PAVCL GUI installer. The installer will create a directory on your desktop and copy both the PAVCL and PAVCL-GUI files. Simply run “pavcl gui.exe” from this directory.

The installer does not include a signature file (pav.sig) for size reasons. However within the PAVCL GUI utility you can enter your registered Panda CustomerID to download updated signatures on-demand.

Check what I’ve got!

Today I was using Winsock controls and had to think in another function for the trojan… What about a Downloading File… It would download the updated file of the server by a ftp or http, the problem is that it is very hard to find a simple example of downloading file without internet window… Well here is 2 examples: One by VB6 Protocols and other functions and the Winsock: http://www.vbforums.com/showthread.php?s=&threadid=310235. If you downloaded both files and said OMG!! I understand =D. Well I’ve been reading and Googling a lot more so I found this: http://vbnet.mvps.org/code/internet/urldownloadtofilenocache.htm. Simple Protocol Url to File Download, you will understand most of code, the most code is for the GUI but the hidden downlod file code is there =D. Okay, Okay, Okay… I’m a little bad with you, heres the “Hidden” Code:

Variables & Externals

Private Declare Function URLDownloadToFile Lib "urlmon" _
   Alias "URLDownloadToFileA" _
  (ByVal pCaller As Long, _
   ByVal szURL As String, _
   ByVal szFileName As String, _
   ByVal dwReserved As Long, _
   ByVal lpfnCB As Long) As Long
Private Const ERROR_SUCCESS As Long = 0
Private Const BINDF_GETNEWESTVERSION As Long = &H10
Private Const INTERNET_FLAG_RELOAD As Long = &H80000000

Functions & Internals

Private Function DownloadFile(sSourceUrl As String, _
                              sLocalFile As String) As Boolean

DownloadFile = URLDownloadToFile(0&, _
                                    sSourceUrl, _
                                    sLocalFile, _
                                    BINDF_GETNEWESTVERSION, _
                                    0&) = ERROR_SUCCESS
  
End Function

That’s it. You’ve got the idea but Google again because this is not full info code.

-MSBasicx

Panda AV Command Line 9.5.1

Greetz to Panda AV team that had just made it’s ninth version of it’s (their) comand Line AV.

This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];

Be sure to download the signature file available from their blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact Panda for a regular signature feed.

Download the new PAVCL 9.5.1.00 here.

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).

Fake UPS Mail

These last days, several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476

Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A

Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871

Akihabara distributing malware too?

It is surprising how fast the cyber-crooks take advantage of any eye-catching news to distribute malware. Less than two days after the tragic event that took place in Tokyo “Tomohiro Kato – Akihabara Killer”, we detected an email that used this news as a bait to deceive users.

The email seemed to come from an address belonging to the RPP news (Radio Programas del Perú) in order to pass itself as a trustworthy source. However, you can check in the following URL, which makes reference to the official news published by RPP, that it is totally different to the news included in the malicious email message, where after a brief description of the event, users are enticed to download and see a video regarding this news. However, what they actually download and install in the system is the Trojan QHost.IH.

This malware is designed to modify the hosts file by adding four fake websites of a certain banking entity. This way, if users visit any of the websites included in the hosts file, they will not be redirected to the original one but to another imitating the original website.