Nasty infection display32.exe / svchost.exe / Win32.VBInject / VBTrojan.Dropper / Win32.BeeInject / Win32.Palevo

While browsing I came across a popup screen with the URL 14150cae.linkbucks.com. Code in this page opened up many windows in a few seconds effectively freezing my machine. It took me a while to startup procexp and kill my browser’s parent process. By then, malware was downloaded to my machine. It appeared to have settled in %APPDATA%\Roaming\DP32 by the name of display32.exe. It hooked itself into explorer.exe and started an invisible browser connection to some dsl customer of virginmedia.com on port 202. When killing the browser process, it was started again (of course). Putting deny permissions on the file took it out of business. It already dropped another copy of itself in %APPDATA%\Roaming by the name of svchost.exe, though. Also an autorun entry was made for this file. Deleting that and svchost.exe made it possible for me to reboot after intensive scanning. Online scans with McAfee, F-Secure and TrendMicro showed no other infections. Virustotal now shows that 21 virus scanners can identify the malware. Too bad my own virus scanner still can’t :-/ I submitted the file to them, so they should be able to soon.

MD5: 23387375da1004446c3e70f7e0a45c2a

SHA1: 5bcabc872dbfa4b26cda26d5b4dcbe9443090cd7

File size: 756 KB (774,144 bytes)

If you found this page looking for info, good luck disinfecting. And I hope you have not rebooted your PC yet…

Advertisements

About Yuri de Jager
Technology Addict

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: