[ Security Alert ] 10 August, 2012 10:59

    According to Fox-IT International blog, a new virus called "XDocCrypt/Dorifel" will search MS Word file on victim computer and encrypt it by RC4 (Figure 1). You will not decrypt the word file without RC4 key. But this virus doesn't look like a ransomware, because it doesn't show any message note. By now there are over 2,200 government, public sector, and networks of private companies of Netherlands affected (Figure 2).

Figure 1: encrypt file by RC4 (source: Fox-IT International Blog)


Figure 2: NL tops the rank, followed by DK  (source: Fox-IT International Blog)

AegisLab has collected 18 "XDocCrypt/Dorifel" virus samples as below, the detection rate in VT is about 25%-30%, there are 3 not in VT DB: 

AegisLab Antivirus can destroy the "XDocCrypt/Dorifel" virus and their mutants. We will keep watching on this emerging threat.



0810 updated: This virus only infect WORD/EXCEL file on network share drives or USB drives in order to spread itself quickly and masquerade itself "look" like a normal WORD/EXCEL file by abusing RTLO (right-to-left-override) vulnerability.


[ Security Alert ] 08 August, 2012 10:04

    AegisLab discovered many "mail.htm" were trojanized by drive-by download attack with embedded <iframe>. By now, there are 311 victim websites and increasing.

If you connect to the victim website without HTTP referer, it will redirect you to Google website.

Victim #1: 


Victim #2: 


Victim #3:  


But with porper HTTP referer, you will be redirected to the following websites:

  • hxxp://online-cammunity.ru:8080/forum/w.php?f=182b5&e=2
  • hxxp://zenedin-zidane.ru:8080/forum/w.php?f=5e91c&e=4 
  • hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2
  • (and more...)
You can see the polymorphic URLs have the similar type: {hostname}.ru:8080/forum/w.php?f=...
"Onerussiaboard.ru", "online- cammunity.ru", "mysqlfordummys.ru" are no longer valid currently but the latest domain hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2 is still alive. As we know, Google Safe Browsing doesn't block it yet (see figure below)



Besides "mail.htm", we found many "upload.htm" are also trojanized due to the software packages they use are vulnerable.


The software packages that victim websites use listed as below:

  • hxxp://www.r-toto.com.cn/mail.htm -> Metinfo 4.0
  • hxxp://www.tiyidi.com/mail.htm -> Discuz X2
  • hxxp://www.kshaoye.com/mail.htm -> WordPress 3.4.1


Finally, the program we downloaded from malicious websites is called "win32.exe" and its detection rate in VT is as below:

AegisLab WebGuard has blocked all of the malicious websites and Antivirus can destroy the malicious program.


[ Security Alert ] 01 August, 2012 10:10

    While the official olympic mobiles games are released (Figure 1) in July, hackers are aggressive to use the hot topic to trick people. Recently, AegisLab found fake olympic mobile games are on several russian android markets. Once you install the app, your phone bill will increase dramatically because the app send premium-rate SMS stealthily. AegisLab reminds you don't download and install apps from untrusted android markets to prevent personal sensitive information and money leaking.

Malicious android markets that AegisLab discovered are as below:

  • igry-for-android.ru (Figure 2)
  • samsungs5570.ru (Figure 3)
The following apps are downloaded from the malicious android markets, whose reports in VirusTotal are as below:(detection rate is inside parentheses)


Figure 1:You can download official mobile games both on Google Play and Apple App Store.


Figure 2:Fake olympic mobile games 


Figure 3:Fake olympic mobile games 


by AegisLab