Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.
We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:
count | receiving_date
1516 | 2011-07-27
1828 | 2011-07-28
813 | 2011-07-29
1470 | 2011-07-30
1258 | 2011-07-31
but the malware is constantly evolving.
|593||c15eb3c47800fec025b6a86a6409f144||2011-07-27 03:00 AM to 2011-07-27 08:30 AM|
|1001||01e3bbd4b6f8c22a3516771f9b6792bc||2011-07-27 12:45 PM to 2011-07-28 04:45 AM|
|318||57d931256fd6d7184528ae983e34677b||2011-07-27 08:00 AM to 2011-07-27 13:30 PM|
|865||6e2eae488317280dd813e3e2fc9e0275||2011-07-28 04:15 AM to 2011-07-28 13:00 PM|
|554||ad760ac5806a84a272e1eb76b315ac31||2011-07-28 12:30 PM to 2011-07-28 20:15 PM|
|1116||4140ee10115174fe36a738d4d943f2af||2011-07-29 13:45 PM to 2011-07-30 04:00 AM|
|614||e2d3d4ccf02ea924e6d11cb452235f4c||2011-07-30 03:30 AM to 2011-07-30 16:15 PM|
|931||5bbe80ad216c89bcbb6891178dc4b5fa||2011-07-30 14:45 PM to 2011-07-31 07:30 AM|
|409||ca84d1a0c49eff5ca829b5fa531800e8||2011-07-31 07:30 AM to 2011-07-31 13:15 PM|
|484||aa412182a164321a159f9b2e95be53bc||2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME|
Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.
I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.
Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.
We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.
When we launched it, it made connections to:
runescapegpge2011.ru - 126.96.36.199
www.radio-80.com - 188.8.131.52
heftyhips.com - 184.108.40.206
That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from www.radio-80.com.
I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.
Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.
Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to:
runescapegpge2011.ru - 220.127.116.11
ewingparkbmx2011.ru - failed to resolve
It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.
That "18.104.22.168" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called bedownloader2011.ru, diamondexchange2011.ru, watchfamilyguynow2011.ru and is also currently resolving as yomwarayom2001.ru.
At 3:15 this morning, the malware being distributed swapped to:
2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)
The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:
a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).
At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:
4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)
The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:
2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).