When is a DMG file not a DMG file

Published: 2008-04-02. Last Updated: 2008-04-02 23:38:16 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)

When it is malware?

Steve (a fellow handler) sent in a link to a DMG file. Several of us wondered how to analyze it and what it might contain. While we searched our memory I downloaded it and it was discovered not to be a DMG file at all.

 adrien@tester:~/bad$ file jetcodec1000.dmg
jetcodec1000.dmg: PE executable for MS Windows (GUI) Intel 80386 32-bit, Nullsoft Installer self-extracting archive

Virustotal results aren't the greatess:

File jetcodec1000.dmg received on 04.03.2008 00:49:47 (CET)
Antivirus    Version    Last Update    Result
AhnLab-V3    2008.4.1.2    2008.04.02    -
AntiVir    7.6.0.80    2008.04.02    DR/Dldr.DNSChanger.Gen
AVG    7.5.0.516    2008.04.02    DNSChanger.AA
BitDefender    7.2    2008.04.03    Dropped:Trojan.Downloader.Zlob.ABOU
ClamAV    0.92.1    2008.04.02    Trojan.Zlob-2395
F-Prot    4.4.2.54    2008.04.02    W32/Trojan2.AIES
F-Secure    6.70.13260.0    2008.04.02    W32/Malware
Kaspersky    7.0.0.125    2008.04.03    Trojan.Win32.DNSChanger.arn
Norman    5.80.02    2008.04.02    W32/Malware
Prevx1    V2    2008.04.03    Generic.Dropper.xCodec
Symantec    10    2008.04.03    Trojan.Zlob
VBA32    3.12.6.3    2008.03.25    MalwareScope.Trojan.DnsChange.2
Webwasher-Gateway    6.6.2    2008.04.02    Trojan.Dropper.Dldr.DNSChanger.Gen
Additional information
File size: 232561 bytes
MD5: 7db1dded58e7856c4d0dcae14b3b870f
SHA1: 6dbc5ae729102e37a77735712dc17daef6b46916

The exe also has the same characteristics:

adebeaupre@host032:~/bad$ md5sum jetcodec1000.exe
555a43e71a62453b445087ef50781193  jetcodec1000.exe
adebeaupre@host032:~/bad$ md5sum jetcodec1000.dmg
555a43e71a62453b445087ef50781193  jetcodec1000.dmg

 

Obviously NOT a DMG file! Interesting that the site the file was downloaded from contained the following advertising blurbs:

XX is a multimedia software that allows access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. XX will highly increase quality of video files you play.

XX enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds.

Sounds like fun. Delivery via social engineering.

Cheers,
Adrien de Beaupré
Bell Canada

 

Keywords: Mac malware Microsoft
0 comment(s)

Comments


Diary Archives