Saturday, 16 April 2011

HoaxSMS Fake installers (Flash player / WinRAR )



Hoax SMS again, this time for Adobe Flash player and Winrar
----
Flash Player:
Flash_player come from: 109.120.157.81
Some files are sent in \%temp%\
No EULA shown.
MD5: e54c20c71f1cb78f25246c970f70c528




Network activities:
http://77.221.149.219/program/open_archive
http://77.221.149.219/program/get_prefix
http://77.221.149.219/program/check_key

The IP 77.221.149.219 is "zip-archive.com" a "Pay Per Install" service.

----
 WinRAR:
This one made me laught, a winrar installation who use a WinZip icon.
When opened, files are sent to C:\Documents and Settings\%userprofile%\%appdata%\winzipsoft
WinRAR come from: download-server-43.net
No EULA shown.
MD5: 134fcb1ecac0db185e2d3259a26a3e50




Chars are badly displayed because i've not enabled cyrilic support.

Net work activity:
http://wlnrar-auth5.net/pass_request_mt/?guid=7fc6bebcd8796ef5e5c72e43045f3654&parid=0&xnum=&xid=&nomer=undefined&param=&fn=dxl3.exe&xtime=29844&lp=9f54cb3ef8cce8e472ddf6de2736dfbb

----

No comments:

Post a Comment