Powered by Max Banner Ads 

I came across this spa’s website today, which is hosting a rootkit.

The full URL is: www.landmarkspa.com/pdf/wq.exe

root1

The file itself came up as clean as soap on virusTotal:

VT0

Upon running it though, the file immediately deleted itself and created a Service.

rootkit

That service, or rootkit, is detected by a few AV Vendors:

vtrootkit

Playing with the new (free) version of McAfee FileInsight:

padding

The screenshot below shows the rootkit name and… a lot of padding… an easy way to bypass signature detection.

paddingzoom

Jerome Segura

Malware ID: f535708ce6190267e16ee8e22d5d4917.zip

Share and Enjoy:
  • Digg
  • Bumpzee
  • del.icio.us
  • Facebook
  • Furl
  • Mixx
  • NewsVine
  • Reddit
  • StumbleUpon
  • YahooMyWeb
  • Google Bookmarks

Related posts:

  1. More Mini Me Malware  Powered by Max Banner Ads Mini me, AKA Verne Troyer...
  2. Creating a Google Sitemap for Your Joomla! Site  Powered by Max Banner Ads What is a Google sitemap?...
  3. Setting Up Google Analytics for Your Bridal Shop’s Web Site  Powered by Max Banner Ads Google Analytics is considered by...
  4. How to Enjoy World of Warcraft Again  Powered by Max Banner Ads When I first started playing...
  5. Leave Your Adblock Plus at the Door  Powered by Max Banner Ads When you see an advert...

Related posts brought to you by Yet Another Related Posts Plugin.