Didier Stevens

Friday 4 July 2008

4th of July, Business as Usual

Filed under: Malware — Didier Stevens @ 8:39

VirusTotal coverage: 17/33 (Caveat emptor)

Let me draw your attention to VirusTotal’s Hash Search function:

The MD5 of the malware I uploaded is: 213391f50aac3580fa8b7b5e8a671afe


  1. OK, I fell for it (I’m a sucker!). I visited the site (using fully patched XP Pro which I reformat and reinstall frequently). I got the ActiveX warning (which I didn’t run), then I looked at the source code, which was as you displayed.

    I’ve a number of questions:

    I’m somewhat reluctant to allow the ActiveX … what’s the next stage for me? Should I allow the ActiveX and, if so, what will the outcome be? Is it possible to download the ActiveX for future analysis but without allowing it to run?

    I’ve looked at the source code, but what actually invokes the ActiveX? How is the image generated? I realise that it’s not a real video.

    I see that if I hover over the image, it wants to run fireworks.exe (I didn’t allow that, nor did I save the file to my PC).

    I’m suspicious about the line:


    but, as my HTML coding skills can be written on the back of a postage stamp, that doesn’t surprise me!

    Sorry to ask so many questions. I guess I could have e-mailed you directly (and I’m quite happy to continue this in that way), but I just wondered if you, or other contributors, might be able and willing to “fill me in”?

    Comment by Dave — Sunday 6 July 2008 @ 10:42

  2. The line which didn’t display correctly in my first comment was that which starts with iframe src=

    I just noticed the fw.gif, so assume that’s the image of the fireworks and false video controls.

    Comment by Dave — Sunday 6 July 2008 @ 10:45

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.