Before I ask my question I'd like to thank all the moderators that offer their time and for the experts that post replies. I've found answers to many questions within these forums about viruses.
Topic: Exploit Rogue Scanner (Type 1027)
AV Version 8.5 and 9 (Separate Machines)
OS: XP Pro SP 3 (both test machines)
Surfing a popular social networking site for art I received the following warning from my AVG. Exploit Rogue Scanner (Type 1027)
I know of many buffer issues and IE exploits but this one is new for me.
Example (Cut by thousands):
var x304c1e = "60$100$98$84$120$72$75$32$75$118$72$115$61$34$75$115$79$75$47$77$119$97$119$100$98$
When I refreshed the page the AVG alert would hit again but the script was different.
In fact each time I refreshed the page the script changed but the length remained about the same or within a couple of hundred characters.
I'm guessing this is an IE Exploit.
Ok that is what the iframe was doing. But that wasn't everything.
I noticed a file attempting to download on the third attempt.
After looking at the source code of the page the file download page was also changing and random.
var d_e4da416a = '2_2ee665.php'+'?af'+'fid=';
var d_e124e6ef = 'e_e124e6.php'
Now I see the Exploit script changing on every page load and the package delivery page changing.
That is smooth for the Iframe Advertiser because it's impossible to report a site page when it's only their for a second or two.
The page shown above (php) would offer a install.exe file that seemed to be clean or AVG cleaned it out every time I attempted to download it.
It shows as a 1mb exe file but comes up empty.
Could one of the experts download the install.exe file and report what it is actually attempting to do?
Also the IP / URL might need to be added to a blacklist. (My AVG Surf toolbar (LinkScanner) didn't show anything wrong with this site.)
Here's the tech notes: (Please do not visit this site if you are not a virus expert. You must turn off all activex and scripting options or use an API to pull the page source code.
IP: 126.96.36.199 (Turkey)
File name: index.html
Within the source code of the index.html page you will find the .php page that is created at random on each page load.
It will attempt to download a file "install.exe".
If you copy the php page which will be X_XXXXX.php before you refresh the page you'll find the page active on the server. After you refresh the temporary page will be removed by the script.
I'm interested in what the install.exe has in mind because the delivery system is very good and almost stealthy.
1. Is the install.exe a virus / malware / trojan or something bad that's new? If it's a joke tell me anyway because I need a good laugh.
install.exe is a malware. It is so called Rogue or Fake Antivirus.
Thanks for report and have a good day without viruses!