I've seen the news about the "Guatemala sinkhole" early this afternoon and to my curiosity I've consulted uncle Google about this devastating event.
As usual, with the "guatemala sinkhole" keyword appears this search results.
and clicking one of the pictures lead me to this.
Curiosity about the sinkhole event suddenly turn into knowing what this malware can do to my machine. I then decided to prepare my VM and fired up my analysis tool, create a snapshot and set it to monitoring mode.
By visiting uncle Google again, clicking the picture and this one pops up.
Clicking "Ok" leads me to this... scanning my computer blah..blah..blah... same old rogue AV
Clicking "Remove All" (or a mouse-over) prompts me to download "packupdate_107_2034.exe"
I allowed it to be installed on my machine.
Now firing up my analysis tool again to reveal the modification made to my system.
One of the interesting changes that catches my eye is the modification of the hosts file.
Viewing inside the hosts file reveals this... hmmm... malware hosted sites and DNS SPOOFING!
UPDATE:
Here's another rogue av modification exploiting guatemala sinkhole issue.
Deleting some "pfirewall.log" entries or stopping windows firewall log services temporarily during the installation, we never know.
Added malware files
Registry entries that's been modified, notice the "HKCR\exefile\shell\open\command".
Whenever an exe file is executed, the alggui.exe is executed as well.
My packet analysis shows that the malware came from this domain.
