New Trojan through Fake Adobe site

July 15th, 2009

A malicious ad displayed on monova.org is pushing malware:

The so-called Flash Player comes from:

adobe.com-newversion.info/install_flash_player.exe

In fact, the domain itself is a copycat of the real Adobe site, but clearly the domain name looked suspicious to me (especially the .info part).

Another thing is the fact that the file itself is not signed, version number is incorrect etc…

This, in comparison, is the real Flash player:

And this time I can say that the file actually is new. No AV engine on VirusTotal is able to detect this threat!

Upon execution the file drops a known exectuable (smc.exe) which oddly enough was picked by our HoneyPots this morning:

Jerome Segura

Malware ID: 8c2af425f45608f47027833b512a68a8.zip

This entry was posted on Wednesday, July 15th, 2009 at 2:52 pm and is filed under Exploits, Fake codecs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

New Trojan through Fake Adobe site

Comments: