TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2016-03-01 08:54:00
subject: AV industry doing patheti

Got a spam today at $dayjob.  That's a feat in and of itself, given that
I'm blocking over 80% of IPv4 IP space at the server.  But this one came
with something that I haven't seen in a while - a malware attachment (a
zipped .js file).

Here's a scan of that file:

https://www.virustotal.com/en/file/30a3bd32848adfa5f5b67f1a19705947adabcb4d1a1d
4f4f8e47575c81785895/analysis/1456855137/

Detected by 2 out of 56 programs.  Pathetic.

Who got it right?

   Cyren        JS/Locky.D!Camelot 
   F-Secure     Trojan-Downloader:JS/Dridex.W

Cyren?

As in "Cyren out loud" ?  Never heard of them.

Wepawet is a piece of #### - it found nothing.  Anubis (from the same
group) is still f*cked up (can't get any analysis results).

Malwr.com has got it right:

https://malwr.com/analysis/OTZhYTRhODVjY2E1NDlhMDg4MTgzOGEzYjUwNTM3NDc/

Here's where the payload is being obtained: 

   demo.rublemag.ru/system/logs/87yhb54cdfy.exe

demo.rublemag.ru = 178.63.61.195 (as I write this)

Here's who owns that IP:

address:        Hetzner Online GmbH
address:        Industriestrasse 25
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 505-0
fax-no:         +49 9831 505-3
abuse-mailbox:  abuse@hetzner.de

These other IP's are somehow also involved (maybe backup?):

31.184.197.119
188.138.88.184
5.34.183.195
185.14.29.188

Here's the VT scan of the above-mentioned .exe file:

https://www.virustotal.com/en/file/8c781b10d0cc5f4734df9aca584ab996570560bff0cb
7c9c5c152eddda35197c/analysis/1456879415/

Detection rate 5 / 56 (again - pathetic given this thing has been
circulating for over 6 hours).

Kaspersky      UDS:DangerousObject.Multi.Generic
McAfee-GW      BehavesLike.Win32.PWSZbot.fm
Qihoo-360      HEUR/QVM20.1.Malware.Gen
Rising         PE:Malware.Generic/QRS!1.9E2D [F]
Symantec       Suspicious.Cloud.2

This is ransom-ware, btw.  Something I'm sure won't run properly on my
win-98 system...
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.