It also has backdoor functionality and it actively fights locally installed AV by manipulating \Image File Execution Options denying the execution of 15 different AV solutions. This technique is very harmful because even if the malware is removed but the debuggers are not fixed, the victim won’t be able to successfully install an AV solution. The debugger will just block the execution of the files by its file names.
The malware tries to detect if the sample is executed in a Sandbox environment by detecting SBIEDLL.DLL library which belongs to Sandboxie software and also it tries to detect if the environment is a virtual one by looking for resources like HGFS and VBoxGuest.
In September 2013, the FBI posted a Public Service Announcement about this threat. However, the difference now is that this botnet is no longer just being used by Russian speaking criminals but by cybercriminals from LatAm as well.
The complete list is quite long. If we check only geo specific domains, then the Top 10 countries where most of the victims are include:
2014 Feb 06, 00:54
The .biz domain, I'm curious if you checked the WHOIS since the service provider to conceal WHOIS information is located in Panama and will show up in the WHOIS.
The location was determinated by it's IP address and not the domain name. The server was phisically located in Panama, right now it's taken down.
I have the answer for all of you there is a Company by the name
of Strike Force Technologies they have the software to eliminate
any keylogger attacks this works for internet, i phone,I pad,This is 100% bullet proof protection from anyone steeling your identity
They have given www.cyberwealth7.com/frankielad the sole rights to
sell this software
Re: Re: Geolocations
The site is trying to hiddenly get access to the canvas image to see which is the visitor's environment... not good.