BannerPortlet

Blogs

General information

Lenovo’s download site has been infected with malicious codes since Sunday’s afternoon, June 20th; so users should be careful on visiting this site. Currently, if you access this site with Chrome or Firefox, you will see a warning as following:

Chrome’s warning of malicious code on Lenovo’s download site

Many web pages on Lenovo’s download site are appended with an iframe which leads users to hxxp://volgo-marun.cn/pek/index.php

Malicious code appended to web pages

Decoding the iframe, we find many vulnerabilities in Internet Explorer have been taken advantage to launch the attack.

Exploit codes

These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer.

Virus’ information

The virus is a new variant of Bredolab Botnet with following MD5: F5A44C63F8777F544931ABC763F88EE3

After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com.

Bredolab Botnet receives commands from C&C server

For the time being, the scan result on Virus Total shows that only 10/40 AVs can detect this virus variant.

http://www.virustotal.com/analisis/a49993e5639068504df90dace96a809b41153fe528751bd6b8f0eef9e4085959-1277144604

Bkav’s users can be worry-free since this virus has already been updated in our antivirus software’s database.

Le Minh Hung

Senior Security Researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet