Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Likely malicious html file - can someone take a look?


  • Please log in to reply
5 replies to this topic

#1 Charlie Tounah

Charlie Tounah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 04 June 2011 - 09:24 AM

Hi,

I'm a consultant, with a client that received an email with a suspicious link. I was able to download the html file from the redirected site without running it, and took a look at it in a text editor. It's obviously specially crafted, but it's beyond my ability to decipher. Could anyone interpret the file to figure out what the payload is supposed to be?

It's a 191K file, and I'm not sure how best to attach it. If someone could let me know, I'd appreciate it.

Thanks in advance,

Charlie T.

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:03 PM

Posted 04 June 2011 - 12:09 PM

You can upload it here. Please put it in a .zip archive first.

#3 Charlie Tounah

Charlie Tounah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 04 June 2011 - 03:37 PM

Hi, I just uploaded the file as requested.

Thanks,
Charlie T.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:03 PM

Posted 04 June 2011 - 04:32 PM

It's a packed and obfuscated, and very common, fake malware scanner page. It emulates the appearance of Windows Explorer in Windows XP and claims to be scanning your computer while finding numerous infections (almost identical in every respect to this image.) It then prompts you to download and install and they purchase a rogue Antimalware tool.

If the page is on a server you control, then you need to immediately take action to remove these rogue pages and close whatever security hole may have allowed them in. If the page lives on an otherwise innocuous website then you should consider contacting the owner of the site and informing them that their site is hosting scam/malware pages.

#5 Charlie Tounah

Charlie Tounah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 04 June 2011 - 05:29 PM

Thanks for your help.

The curious thing is that this lady got this email with the malicious link, along with only a handful of other people she knows in the CC: list, and is pretty sure she knows who sent it. Could you tell if there is anything more specifically targeted than the rogue antivirus program? She is concerned about trojans, keyloggers, etc. I scanned her system with Combofix, MBAM, AVG's Virut remover, GMER and catchme, and everything's clean as far as I can tell.

Thanks again,
Charlie T.

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:03 PM

Posted 04 June 2011 - 05:58 PM

Nothing obvious.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users