Hey, when they add even your blog to their lists of restricted sites on infected machines, you know that you’re doing something right.
Our talented colleague Sergei Shevchenko noticed a recent ThreatExpert report in which a not-so-well-detected IRCBot variant is adding the ThreatFire blog url to the hosts files of infected machines, mapping it to the localhost ip. You can see the url in a long list of sites by scrolling down beneath “The HOSTS file was updated with the following URL-to-IP mappings”:
127.0.0.1 blog.threatfire.com
This addition to the HOSTS file means that infected users trying to research symptoms of their infected system online won’t be able to browse this blog’s web pages and find out that the current “msnmessage7.7.exe” file in their c:\windows\system32 directory is causing them a headache.
We suspect that this one is spreading as a part of another IM worm as a message attachment named image_10.zip. When this file is unzipped, its extracted contents have names like “Cle-p.exe”.
If you didn’t pick up on it, the title of this post is meant to be sarcastic.
There is a little mistake in this article. It copy itself in "%windir%\system32\" not in %windir%
They are all "not-so-well-detected" & it's difficult to understand why, those files always have the same structure, *kidz* used lamed *fud* stubz. Fortunately, Microsoft have a nice heuristic on it.
Thanks, I’ll go ahead and correct the location.
Yes, nice to see one of the scanners detecting malware on upload.
Thanks but check this out the best dating site Adult Dating