Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Exploit Rogue Scanner (Type 1027)
February 20, 2010 06:21 Exploit Rogue Scanner (Type 1027) #65629
Top
XCTech

Avatar

Novice
Join Date: 10.1.2010
Posts: 5
Hello all,
Before I ask my question I'd like to thank all the moderators that offer their time and for the experts that post replies. I've found answers to many questions within these forums about viruses.

Topic: Exploit Rogue Scanner (Type 1027)
AV Version 8.5 and 9 (Separate Machines)
OS: XP Pro SP 3 (both test machines)

Story Setup:
Surfing a popular social networking site for art I received the following warning from my AVG.
Exploit Rogue Scanner (Type 1027)

A javascript coming from an iframe banner advertisement offered me a closer look at what causes the Exploit Rogue Scanner Alert to pop up but it didn't scan the download file that was in the delivery package.

The script function attempted to load over 29,000 characters into a single javascript variable.
I know of many buffer issues and IE exploits but this one is new for me.

Example (Cut by thousands):
  var x304c1e = "60$100$98$84$120$72$75$32$75$118$72$115$61$34$75$115$79$75$47$77$119$97$119$100$98$
84$120$72$75$34$62$97$119$84$32$85$120$100$75$87$119$78$115$32$61$32$87$115$101$32$66$84$84$119$118$


When I refreshed the page the AVG alert would hit again but the script was different.
In fact each time I refreshed the page the script changed but the length remained about the same or within a couple of hundred characters.

I'm guessing this is an IE Exploit.
Ok that is what the iframe was doing. But that wasn't everything.

I noticed a file attempting to download on the third attempt.
After looking at the source code of the page the file download page was also changing and random.

Example:
Load 1:
var d_e4da416a = '2_2ee665.php'+'?af'+'fid=';

Load 2:
var d_e124e6ef = 'e_e124e6.php'

etc.

Now I see the Exploit script changing on every page load and the package delivery page changing.
That is smooth for the Iframe Advertiser because it's impossible to report a site page when it's only their for a second or two.

The page shown above (php) would offer a install.exe file that seemed to be clean or AVG cleaned it out every time I attempted to download it.
It shows as a 1mb exe file but comes up empty.

My Question:
Could one of the experts download the install.exe file and report what it is actually attempting to do?
Also the IP / URL might need to be added to a blacklist. (My AVG Surf toolbar (LinkScanner) didn't show anything wrong with this site.)

Here's the tech notes: (Please do not visit this site if you are not a virus expert. You must turn off all activex and scripting options or use an API to pull the page source code.

IP: 188.124.5.154 (Turkey)
File name: index.html


Within the source code of the index.html page you will find the .php page that is created at random on each page load.
It will attempt to download a file "install.exe".
If you copy the php page which will be X_XXXXX.php before you refresh the page you'll find the page active on the server. After you refresh the temporary page will be removed by the script.

I'm interested in what the install.exe has in mind because the delivery system is very good and almost stealthy.

Question:

1. Is the install.exe a virus / malware / trojan or something bad that's new?
If it's a joke tell me anyway because I need a good laugh.

2. Was the Exploit Rogue Scanner alert caused by the random download or the actual javascript 29,000+ characters in length? (From the index.html page or the random.php page?)


Thanks.


February 20, 2010 14:00 Re: Exploit Rogue Scanner (Type 1027) #65633
Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23767
Have a look @ this link http://www.avg.com/ww-en/page-rating-report.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

February 20, 2010 20:45 Re: Exploit Rogue Scanner (Type 1027) #65709
Top
kubat

Avatar

Moderator
Join Date: 29.6.2009
Posts: 22
Hi,

install.exe is a malware. It is so called Rogue or Fake Antivirus.

Detection was triggered by javascript and caught by LinkScanner.

install.exe file will be detected in next definition update. You can see the power of LinkScanner in this case. Even if the file is not detected by Resident Shield, LinkScanner can block the javascript that is trying to convince user that there is a virus in the computer. (see the attached screen)

Thanks for report and have a good day without viruses!
fakeAV.PNG
February 20, 2010 21:56 Re: Exploit Rogue Scanner (Type 1027) #65729
Top
XCTech

Avatar

Novice
Join Date: 10.1.2010
Posts: 5
kubat wrote
Hi,

install.exe is a malware. It is so called Rogue or Fake Antivirus.

Detection was triggered by javascript and caught by LinkScanner.


Thanks Kubat for the quick update. (Guess I'll delete the file from my drive now.)
And Big Al thanks much for finding the proper place for this post.

cool

On a closing note and if you don't mind.
I'm going to share this link with the social networking site that offered me this mess.
February 22, 2010 20:44 Re: Exploit Rogue Scanner (Type 1027) #66209
Top
kubat

Avatar

Moderator
Join Date: 29.6.2009
Posts: 22
Feel free to warn your friends. Social networks are usually first target of these attacks.

---------------

Problem solved. Locking this thread.

If anyone has similar symptoms, please open your own thread.