{"id":399,"date":"2008-12-04T10:23:13","date_gmt":"2008-12-04T18:23:13","guid":{"rendered":"http:\/\/www.codebelay.com\/blog\/?p=399"},"modified":"2008-12-04T10:26:43","modified_gmt":"2008-12-04T18:26:43","slug":"the-funny-video-of-you-malware-linked-on-facebook","status":"publish","type":"post","link":"https:\/\/www.codebelay.com\/blog\/2008\/12\/04\/the-funny-video-of-you-malware-linked-on-facebook\/","title":{"rendered":"The Funny Video of You Malware linked on Facebook"},"content":{"rendered":"<p>If you don&#8217;t already know, there&#8217;s malware going around through Facebook.<\/p>\n<p>It starts off with the subject of:<\/p>\n<h3>i found a video with you in my camera.<\/h3>\n<p>You click on the link and you are led to a bunch of domains. One controlled by some ISP in Colorado, and then very-funny-webs.com . Do an nslookup on that one. Then you&#8217;re led to a server in Beijing and then finally to some poor computer that&#8217;s been hacked on port 7777.<\/p>\n<h1>Whatever you do, do not click that link!<\/h1>\n<p>Where was I? That computer automatically downloads a payload called: flash_update.exe <\/p>\n<p>This is where things get interesting.<\/p>\n<div style=\"color: #fff; background: #000; padding: 5px; font-family: Courier;\">\n0000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  &#8230;&#8230;..!..L.!Th<br \/>\n0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno<br \/>\n0000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS<br \/>\n0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode&#8230;.$&#8230;&#8230;.\n<\/div>\n<p>Also, the dirty work of ruining your day is done here:<\/p>\n<div style=\"color: #fff; background: #000; padding: 5px; font-family: Courier;\">\n0003470: 0000 0000 08f1 0000 0000 0000 4b45 524e  &#8230;&#8230;&#8230;&#8230;KERN<br \/>\n0003480: 454c 3332 2e44 4c4c 0041 4456 4150 4933  EL32.DLL.ADVAPI3<br \/>\n0003490: 322e 646c 6c00 5553 4552 3332 2e64 6c6c  2.dll.USER32.dll<br \/>\n00034a0: 0000 4c6f 6164 4c69 6272 6172 7941 0000  ..LoadLibraryA..<br \/>\n00034b0: 4765 7450 726f 6341 6464 7265 7373 0000  GetProcAddress..<br \/>\n00034c0: 5669 7274 7561 6c50 726f 7465 6374 0000  VirtualProtect..<br \/>\n00034d0: 5669 7274 7561 6c41 6c6c 6f63 0000 5669  VirtualAlloc..Vi<br \/>\n00034e0: 7274 7561 6c46 7265 6500 0000 4578 6974  rtualFree&#8230;Exit<br \/>\n00034f0: 5072 6f63 6573 7300 0000 5265 674f 7065  Process&#8230;RegOpe<br \/>\n0003500: 6e4b 6579 4578 4100 0000 4973 5769 6e64  nKeyExA&#8230;IsWind<br \/>\n0003510: 6f77 0000 0000 0000 0000 0000 0000 0000  ow&#8230;&#8230;&#8230;&#8230;..\n<\/div>\n<p>The code seems to be messing around with your DLL&#8217;s in Windows which is bad. I&#8217;m on OS X, so I lucked out.<\/p>\n<p>Anyway, I hope this piece of Malware didn&#8217;t get you and I hope those assholes burn in hell.<\/p>\n<p>If anybody can add more details about how this malware works, please let me know.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you don&#8217;t already know, there&#8217;s malware going around through Facebook. It starts off with the subject of: i found a video with you in my camera. You click on the link and you are led to a bunch of domains. One controlled by some ISP in Colorado, and then very-funny-webs.com . Do an nslookup [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[57,234],"class_list":["post-399","post","type-post","status-publish","format-standard","hentry","category-webapps","tag-facebook","tag-malware"],"_links":{"self":[{"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/posts\/399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/comments?post=399"}],"version-history":[{"count":0,"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/posts\/399\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/media?parent=399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/categories?post=399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codebelay.com\/blog\/wp-json\/wp\/v2\/tags?post=399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}