Virus Guy  wrote in
news:m1795q$tq9$1@speranza.aioe.org: 

> So we're well into another cycle of email-delivered trojans. 
> Because the spammers need fresh IP's to hijack?

Why do you think it's hijacking IPs?

> Even 4 hours after I got it, VT scan result is a somewhat pathetic
> 13/54.

Considering what this most likely is, that's not too bad...
 
> Get your own copy here:
> 
> http://filepost.com/files/48ec451b/Copy_of_document_Oct-09-2014.rar

This isn't a very good site dude...

for somebody who's so pissed off about malware, why the #### would 
you demand users visit a site full of popups and other less than cool 
scripts to download a malware sample?

I was finally able to leech an 11k rar file, which I will checkout 
later.. but the site sucks man. Find another one to share content 
with.

An example of a site it wanted to load on me when I clicked low speed 
download; it was NOT able to complete this act, btw.

hxxp://ad.directrev.com/RealMedia/ads/adstream_sx.ads/S0000701/1%
5BrandomNo%5D@x10

Clicking on simple download on the bottom of the page takes me here:

https://media-fire.org/?lang=en&sid=
99eb5e8acbe2d428a9a9b03dea0510f1fa5a5e1c&p=369&pctx=14219635259
&m=&lp=movie01v4&pn=vod&cus_dlp=true

As my browser isn't allowed to run scripts on foreign sites without 
my permission, it's not able to do much...

window.landing_name = "movie01v4";
      window.register_url = "https://register.videostripe.com?
lang=en&sid=99eb5e8acbe2d428a9a9b03dea0510f1fa5a5e1c&p=369&pctx=
14219635259&m=&lp=movie01v4&pn=vod&cus_dlp=true";
      window.onload = function(){
        function addParamToUrl( url, param ) {
            var uparse = document.createElement('a');
            uparse.href = url;
            if(uparse.search.indexOf('=') > -1){
                url += "&";
            }
            return url + param

It wanted to open a video player and get me to signup for an account. 
A normal user might have thought they'd have to do all of this 
nonsense to get the file you posted.

Lame dude, totally lame.

> Malwarebytes <------- (joke)

Sadly, it's become a bit of one with the new v2.x series. They can 
still get it right again though...
When they pull their heads out of their asses and get back to the 
grindstone.

> and a bunch of other wierd-ass software.

I didn't know Avast or Eset was wierd. 
 
> No DNS lookups or network conversations (?)
> 
> Modifies lots of registry values though.

It did a bit more than that, actually.

C:\Documents and Settings\Administrator\Local Settings\Application 
Data\dmxevaip.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary 
Internet Files\Content.IE5\WDUF49AN\index[1].htm

Created those files. Surprised you missed that little detail.
I suspect the registry key modifications are to support the new exe 
file it created for you. It's unlikely it wants you removing it.

Ayep, indeed, it's reconfiguring your computer to run that exe file.

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft
\Windows\CurrentVersion\Run   ijhgqxai   "C:\Documents and Settings
\Administrator\Local Settings\Application Data\dmxevaip.exe"  

Going by the anubis report without looking at the file I leeched from 
the ####ty url you provided, this appears to be a dropper.
 
> Thanks RoadMunger for continuing to not block port-25 for your
> brain-dead residential customers.

As you can see by your own post, the AV they use may not be aware of 
this sample and thus isn't able to prevent it from coming to you.
 
I don't see why you feel they should block port25 for their 
residential customers; You'd be disabling their ability to email 
unless their client is reconfigured to use security.

http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

You seem to be expecting them to disable sending email for 
residential customers without knowing their client is having an 
issue? How do you expect them to accomplish this feat?

Especially if the malware responsible for emailing you was careful 
about it. Email each person one time, delay or otherwise spread out 
the mass emailing campaign. As the sample it's sending is unknown to 
the majority of AV/AM products, it wouldn't have much difficulty 
traveling around. As it's not actually doing a email bombing run or 
acting like mass spamming, it wouldn't upset the ISP and cause itself 
to lose email ability.

You just don't think about things and blame your own profound 
stupidity on others.

-- 
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!


--- NewsGate v1.0 gamma 2