Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
May 3rd, 2013

Regents of Louisiana spreading Sirefef malware

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

govt_la_000 Read more…

Categories: analyses, Virus Lab Tags:
April 17th, 2013

Make money fast via torrents

Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.

We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.


Read more…

Comments off
March 19th, 2013

Analysis of Chinese attack against Korean banks

In this blog post, we will look at the attack originating from hxxp:// and targeting several major Korean banks.

The site,, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC). After opening the site and showing its source code, we looked into the included script /js/common1.js. This script includes another two javascripts ( the third one is commented out ). When we opened both of these scripts, we noticed a suspicious iframe tag at the end of /js/screen1.js. This iframe tag led us to, which is the main attack site.

01-original_website Read more…

Categories: analyses, Virus Lab Tags:
January 9th, 2013

Download a movie or pollute your computer with garbage?

As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder.  In user’s computer, downloader was found in the following directory.

C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe

Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.

Figure 1 – Example of site the downloader was originally downloaded from

Read more…

Categories: analyses, Virus Lab Tags:
September 5th, 2012

United States Cyber Security Ransomware Scam

In this blog post, I would like to introduce one variant of the widely spread malware family, often detected by avast! as “Reveton.” Reveton is classified as ransomware; a program which locks your computer and expects an action, usually the payment of money. Unless the desired amount of money is paid or the malicious application is removed, you cannot do anything with your computer.

In the screenshot below (figure 1), you can see an example of the fake United States Cyber Security notice. Cybercrooks cleverly try to convince the user that activities which violate the law have been detected on his computer. In the sample we analyzed, the user is being accused of illegally downloading and distributing copyrighted contents.

 Figure 1

To mimic a realistic look, the United States Cyber Authority logo as well as basic information about the user’s location (IP, Location, IPS) are shown in the upper left corner. A black and white image resembling a web camera is shown in the upper right corner. This creates a feeling that the user is being watched by authorities right now via an integrated web camera. Most computers nowadays have integrated web cameras, however, at the computer where our analysis was performed, no web camera was present, but the video recording image was still shown.

Read more…

Categories: Virus Lab Tags:
Comments off
May 9th, 2012

“Fix your hard disk” with fake S.M.A.R.T. Repair tool

Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer.  It’s just there, wanting to trick you to buy a license.

Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.

Figure 1


Read more…

Categories: analyses, Virus Lab Tags: