Malware Writers Love this Blog

Hey, when they add even your blog to their lists of restricted sites on infected machines, you know that you’re doing something right.

Our talented colleague Sergei Shevchenko noticed a recent ThreatExpert report in which a not-so-well-detected IRCBot variant is adding the ThreatFire blog url to the hosts files of infected machines, mapping it to the localhost ip. You can see the url in a long list of sites by scrolling down beneath “The HOSTS file was updated with the following URL-to-IP mappings”: blog.threatfire.com

This addition to the HOSTS file means that infected users trying to research symptoms of their infected system online won’t be able to browse this blog’s web pages and find out that the current “msnmessage7.7.exe” file in their c:windowssystem32 directory is causing them a headache.
We suspect that this one is spreading as a part of another IM worm as a message attachment named image_10.zip. When this file is unzipped, its extracted contents have names like “Cle-p.exe”.

If you didn’t pick up on it, the title of this post is meant to be sarcastic.

This entry was posted in Online Fraud. Bookmark the permalink.

3 Responses to Malware Writers Love this Blog

  1. s€cUßø× says:

    There is a little mistake in this article. It copy itself in "%windir%\system32\" not in %windir%

    They are all "not-so-well-detected" & it's difficult to understand why, those files always have the same structure, *kidz* used lamed *fud* stubz. Fortunately, Microsoft have a nice heuristic on it.

  2. ThreatFire Blogger says:

    Thanks, I’ll go ahead and correct the location.

    Yes, nice to see one of the scanners detecting malware on upload.

  3. freeandeasy says:

    Thanks but check this out the best dating site Adult Dating

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>