Vundo Hackers use 404 toolkit methods
404 toolkit tactics are used to infect users with multiple parasites from malicious websites
The hackers that created the Vundo infection are using a 404 toolkit method to load malware onto computers on the internet. The infection of a Trojan was recently discovered through a spam email message resulting in the installation of other malware as reported by Trend Micro. The spam message includes an image once the image is clicked on it will redirect you to a malicious website that loads an executable file onto your system. The file was identified to root from the address hxxp://BLOCKED-carvalhal.pt/tits.exe which was detected as TROJ_SHEUR.HD. The link source for this file was recently shut down.
The process that a 404 toolkit uses is during the end of the infection process results in the infection installing a rogue anti-virus product. In the case of the Vundo exploit it was the Winfixer program that was installed which is a fake anti-virus program.
The visit to the malicious website that started this infection had 2 other scripts that redirects to 2 different URLs. During the execution of the 2 scripts it leaves your computer in a busy state where it is not accessible. The 404.php page redirects you to a malicious site as well as other pages found off of the undisclosed web address. Trend Micro performed an examination of the scripts and it seems it is an ongoing process of loading dirty files onto a users computer when they visit this malicious website.
Below are other files that are loaded when the scripts are executed.
u_f1_v34_78.exe
inst250.exe
krab.exe
loader.exe
ldig002.exe
terasole.exe
2302.exe
Below is a list of the malware that was detected after the scripts have run and infected your computer.
ctfmona.exe -> TROJ_DLOADER.JG
Fsd9mk4g.dll -> TROJ_DLOADER.DUF
inst250.exe -> TROJ_DROPPER.DRL
Jfs9jg.dll -> TROJ_SMALL.BKJ
krab.exe -> TROJ_AGENT.WNQ
ldig002.exe ->TROJ_DLOADER.ENR
msgk429.exe -> TROJ_DNSCHANGE.Y
symavc32.sys -> TROJ_ROOTKIT.EZ
u_f1_v34_78.exe ->TROJ_DNSCHANGE.Y
winlogan.exe -> TROJ_DLOADER.DJH
Wmgq44.sys -> TROJ_ROOTKIT.EZ
ieupdr2.exe -> TROJ_DLOADER.LSI
ie_updates3r.exe -> TROJ_DLOADER.LSI
jf-carvalhal[1].txt -> JS_CLICKER.ZU
loader.exe -> TROJ_CUTWAIL.AR
msgk251.exe -> TROJ_CUTWAIL.AR
nwan.dat -> TROJ_PROXY.TO
terasole.exe -> BKDR_MOMIBOT.B
tits.exe -> TROJ_SHEUR.HD
WinIFixer.exe -> TROJ_WINFIXER.FD
winlugan.exe -> TROJ_DLOADER.LSI
WLCtrl32.dll TROJ_AGENT.ANX
It is recommended that users avoid email messages that contain suspicious links or embedded links attached to images. If a website has a dirty or porn image it is suggested that you delete the email before you are redirected to a malicious website such as the one previously mentioned.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.