Wednesday, September 28, 2011

Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability

These 4 phish message attempt to utilize CVE-2011-1991 type (1) deskpan.dll in the Display Panning CPL Extension. Here is a clear explanation of the deskpan.dll functionality  - it is "a module related to the display settings of pictures on your display screen" It is normally located in C:\ windows\ system32\. The phishing messages contain a word document (0/44 on VT) and a dll file called deskpan.dll in one zip or rar archive, which is in fact a Taidoor trojan dll unrelated to the authentic Windows library. This exploit has strict requirements for execution. I have not been able to meet them and get it to work, just like in Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z,  it is hard to trigger. A reader sent explanation how his exploit can be triggered -

Wednesday, September 21, 2011

Sept 21 Greedy Shylock - financial malware

Not one, my lord.
Besides, it should appear, that if he had
The present money to discharge the Jew,
He would not take it. Never did I know
A creature, that did bear the shape of man,
So keen and greedy to confound a man:
(The Merchant of Venice W. Shakespeare Act 3, Scene 2 )

On September 7, 2011,  Trusteer announced they are investigating new financial malware they called Shylock that "uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it to resist removal attempts and restore operations"

Trusteer called the malware Shylock for Shakespeare quotes in the properties of the file.

Monday, September 19, 2011

Mebromi BIOS rootkit affecting Award BIOS (aka "BMW" virus)

On September 13, 2011, Marco Giuliani from Webroot posted a detailed analysis of Mebromi - BIOS rootkit affecting Chinese computers with AWARD BIOS, which was earlier discovered by Qihoo 360. As noted by cfans from and kerne1_madman from, the infection starts with a binary with MD5 1AA4C64363B68622C9426CE96C4186F2 that downloads the actual dropper MD5 BB5511A6586BA04335712E6C65E83671. While looking for the samples, I found one domain referenced on CleanMX on 2011-08-31 that was used for distribution of the downloader with binary called qvodffs.exe MD5 1AA4C64363B68622C9426CE96C4186F2  hxxp://  In other cases it was called 123.exe (noted by Prevx  -seen on Aug 29, 2011 )

Sunday, September 11, 2011

Russian Black SEO ❤

Introducing ESAT NQD32 and "Test Version" of Windows

ESAT robot iz  very sad
I wasn't planning to make any posts while traveling for the lack of fast internet connection and ability to handle malicious files. For the same reason I will not be posting any analysis or malware zip archives in this post, only malicious links.

I visited Russia and needed to help someone purchase a new computer. This post is the result of the interesting experience, which should at least partially explain the share of malware from Russia .

 The two reasons I saw were the widespread use of pirated Windows that cannot be updated and poisoned results for any commonly used software - nearly all Google Sponsored Links for searches of Adobe products, antivirus products, free players and utilities will redirect you to malware downloads. is most commonly used domain for advertising these malicious "products".

Wednesday, September 7, 2011

Mediafire DMCA Office2010-kb2289161-fullfile-x64-glb.exe patch email

This summary is not available. Please click here to view the post.