Spa site gets `rootkited`

September 15th, 2009

I came across this spa’s website today, which is hosting a rootkit.

The full URL is: www.landmarkspa.com/pdf/wq.exe

The file itself came up as clean as soap on VirusTotal:

Upon running it though, the file immediately deleted itself and created a Service.

That service, or rootkit, is detected by a few AV Vendors:

Playing with the new (free) version of McAfee FileInsight:

The screenshot below shows the rootkit name and… a lot of padding… an easy way to bypass signature detection.

Jerome Segura

Malware ID: f535708ce6190267e16ee8e22d5d4917.zip

This entry was posted on Tuesday, September 15th, 2009 at 9:06 am and is filed under Exploits. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments:

(0) comments
|
Add your comments