From: Virus Guy on
I came across this while doing more searches for "Day 360 is coming":

setup_build7_292.exe

hxxp://www. brueserberg.de/?bru=day-360-is-coming

The actual full URL for that file seems to be coded, and I believe the
code has a timing component to it that renders the URL invalid after
some period of time. For example, the first time I got that file, the
URL was this:

-----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa

W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D
----------------

After a few minutes, that URL became non-operative.

The last line is separated for comparison to the next time I tried it:

----------------
hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
&p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa

m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D
-----------------

Note that the first 3 lines are the same, and so is a large section of
the 4'th line. But the first and last 5 characters of the 4'th line are
different. The .exe files are identical.

VirusTotal is coming back with 4 hits:

CAT-QuickHeal (Suspicious) - DNAScan
Comodo Heur.Suspicious
Sophos Mal/FakeAV-CD
Sunbelt Trojan.Win32.Generic!SB.0

The file seems to be an executable, but when Firefox offered it to me
and asked what I wanted to do with it, Firefox thought it was an Adobe
PDF file (?)

BTW, does anyone have an example of the latest PDF exploit?
merry_christmas.pdf ?
From: FromTheRafters on
"Virus Guy" <Virus(a)Guy.com> wrote in message
news:4B363535.74AC254E(a)Guy.com...
>I came across this while doing more searches for "Day 360 is coming":
>
> setup_build7_292.exe
>
> hxxp://www. brueserberg.de/?bru=day-360-is-coming
>
> The actual full URL for that file seems to be coded, and I believe the
> code has a timing component to it that renders the URL invalid after
> some period of time. For example, the first time I got that file, the
> URL was this:
>
> -----------------
> hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
> &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
> WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa
>
> W%2BYXo rPeKKcqaJ1ip22mZ3LapSWmWJvZm ebmJY %3D
> ----------------
>
> After a few minutes, that URL became non-operative.
>
> The last line is separated for comparison to the next time I tried it:
>
> ----------------
> hxxp://pineguard-of-pc. com/build7_292.php?cmd=getFile&counter=1
> &p=p52dcWptal%2FCj8bYboBwgHle0KCfZ1bVoKDb2WpvWJjOxaCbkXp%2F
> WqyopHbHXpaak2ZhZGNsnFPVpJHaotahk1ealXOL1dZ2Y2ZvZXBoa
>
> m2VY4 rPeKKcqaJ1ip22mZ3LapSWmWJvZm iZlZo %3D
> -----------------
>
> Note that the first 3 lines are the same, and so is a large section of
> the 4'th line. But the first and last 5 characters of the 4'th line
> are
> different. The .exe files are identical.
>
> VirusTotal is coming back with 4 hits:
>
> CAT-QuickHeal (Suspicious) - DNAScan
> Comodo Heur.Suspicious
> Sophos Mal/FakeAV-CD
> Sunbelt Trojan.Win32.Generic!SB.0
>
> The file seems to be an executable, but when Firefox offered it to me
> and asked what I wanted to do with it, Firefox thought it was an Adobe
> PDF file (?)
>
> BTW, does anyone have an example of the latest PDF exploit?
> merry_christmas.pdf ?

That's just a filename, the same as annonce.pdf.