Help - Search - Members - Calendar
Full Version: Spam posing as MSN Featured Offers
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Kimberly
Jul 24 2008, 01:52 AM
Upon receiving this email, two details made me curious.
  • MSN Featured Offers
  • My own email address as the sender of the message.
IPB Image
The MSN Featured Offers mail comes from spammers, not from MSN. The MSN spam actually uses the recipient's address as the sender. A closer look at the headers does reveal a return path and the IP of the sender but they are probably fake ... altough it reveals an interesting domain: spyhear.com
IPB Image
<h4>
File details
</h4>
Filename: video-nude-anjelia.avi.exe

File size: 148992 bytes
MD5...: 10ff78b782125f6a5d630cd98aa889d4
SHA1..: f4b21cc2d87a5703822e5a691fdd5db87dd52aef
SHA256: c3431f9851d58d9c00df8e096a92e911096450d12997f206f5a85b02146cba7d
PEiD..: -
QUOTE
File video-nude-anjelia.avi.exe received on 07.24.2008 01:45:21 (CET)
AhnLab-V3 2008.7.24.0 2008.07.23 -
AntiVir 7.8.1.11 2008.07.23 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.23 -
AVG 8.0.0.130 2008.07.23 Dropper.Small.BG
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.23 Trojan.Packed.573
eSafe 7.0.17.0 2008.07.23 Suspicious File
eTrust-Vet 31.6.5976 2008.07.23 -
Ewido 4.0 2008.07.23 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.23 -
Fortinet 3.14.0.0 2008.07.23 -
GData 2.0.7306.1023 2008.07.23 Trojan-Downloader.Win32.Agent.xbw
Ikarus T3.1.1.34.0 2008.07.24 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.07.24 -
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.24 TrojanDropper:Win32/Umrena.B
NOD32v2 3293 2008.07.23 a variant of Win32/TrojanDropper.Small.NHU
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.23 -
Prevx1 V2 2008.07.24 -
Rising 20.54.22.00 2008.07.23 -
Sophos 4.31.0 2008.07.23 Mal/TibsPk-F
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.23 Packed.Generic.57
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.23 -
VBA32 3.12.8.1 2008.07.23 -
VIRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.23 Trojan.Crypt.XPACK.Gen
Kaspersky: Trojan-Downloader.Win32.Agent.xbw

<h4>
Notes
</h4>
The following files were created in the system upon execution:
  • %Temp%\0.exe
    IPB Image
  • %Temp%\1.exe
    IPB Image
Note: %Temp% is a variable that refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

An instance of svchost.exe is launched by 1.exe
IPB Image
A few moments later svchost.exe does request internet access.
IPB Image
The following files were requested from the server.
  • 196.32.220.3/0.exe
  • 196.32.220.3/m/1.php
Serveral 0 bytes files are created in the root folder - c:\ - and the bits service might be used to download additional files from internet.

An attempt to send email was made.
IPB Image
Note: Creation of an email account since the VM didn't have a mail addy set up.

<h4>
0.exe - 1.exe
</h4>
Filename: 0.exe

File size: 110080 bytes
MD5...: 347f71988a8bca6f06c1a1b73d5ee2ab
SHA1..: 5829568be56dce0bb73fa93db9380afaf6a04add
SHA256: 92325279e5c6c8b5c1165cb41601507b84dfa16879f3110977a21f0b8ed78a18
PEiD..: -
QUOTE
File 0.EXE received on 07.24.2008 02:52:24 (CET)
AhnLab-V3 2008.7.24.0 2008.07.23 -
AntiVir 7.8.1.11 2008.07.23 HEUR/Crypted
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.23 -
AVG 8.0.0.130 2008.07.23 Downloader.FraudLoad.A
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.22 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.23 -
eSafe 7.0.17.0 2008.07.23 Suspicious File
eTrust-Vet 31.6.5975 2008.07.22 -
Ewido 4.0 2008.07.23 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.23 -
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.23 Trojan-Downloader.Win32.Small.ywc
Ikarus T3.1.1.34.0 2008.07.24 -
Kaspersky 7.0.0.125 2008.07.24 Trojan-Downloader.Win32.Small.ywc
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.24 -
NOD32v2 3293 2008.07.23 -
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.23 -
Prevx1 V2 2008.07.24 Malicious Software
Rising 20.54.22.00 2008.07.23 -
Sophos 4.31.0 2008.07.24 Mal/TibsPk-D
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 Packed.Generic.174
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.23 -
VBA32 3.12.8.1 2008.07.23 -
VIRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.23 Heuristic.Crypted
Kaspersky:Trojan-Downloader.Win32.Small.ywc
______________________________

Filename: 1.exe

File size: 15872 bytes
MD5...: 8a2e1a9ac9bb1e9108a79dbeba2e20a4
SHA1..: c19cf58b82cd1e477b12725f2d16539df2c8ac87
SHA256: 19920b26d6e723b703fd1d0dd83193e16645d332f54b14a0b2a3482c39f19d71
PEiD..: -
QUOTE
File 1.EXE received on 07.24.2008 02:51:26 (CET)
AhnLab-V3 2008.7.24.0 2008.07.23 -
AntiVir 7.8.1.11 2008.07.23 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.23 -
AVG 8.0.0.130 2008.07.23 Downloader.Agent.15.R
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.23 -
eSafe 7.0.17.0 2008.07.23 -
eTrust-Vet 31.6.5976 2008.07.23 -
Ewido 4.0 2008.07.23 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.23 -
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.23 -
Ikarus T3.1.1.34.0 2008.07.24 -
Kaspersky 7.0.0.125 2008.07.24 -
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.24 TrojanDownloader:Win32/Chepvil.C
NOD32v2 3293 2008.07.23 a variant of Win32/TrojanDropper.Small.NHU
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.23 -
Prevx1 V2 2008.07.24 -
Rising 20.54.22.00 2008.07.23 -
Sophos 4.31.0 2008.07.24 Mal/TibsPk-F
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 Packed.Generic.57
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.23 -
VBA32 3.12.8.1 2008.07.23 -
VIRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.23 Trojan.Crypt.XPACK.Gen
<h4>
spyhear.com - 72.44.67.7
</h4>
Website Title: None given.
ICANN Registrar: ENOM, INC.
Created: 2002-05-24
Expires: 2009-05-24
Updated: 2008-04-29
Name Server: SHARK01.TREKDATA.COM (has 93 domains)
Name Server: SHARK02.TREKDATA.COM
Whois Server: whois.enom.com

Server Type: Apache
IP Address: 72.44.67.7
IP Location - New York - Albany - Multacom Corporation
Blacklist Status: Currently Listed

Domain name: spyhear.com

Registrant Contact:
LLC, TrekEight
NA NA

TrekEight LLC
6965 El Camino Real - Suite 105-698
La Costa, CA 92009-4192
US

Administrative Contact:
NA
TrekEight LLC ()
+1.7604435715
Fax: 760-443-5715
TrekEight LLC
6965 El Camino Real - Suite 105-698
La Costa, CA 92009-4192
US

Technical Contact:
NA
LLC Network Solutions ()
+1.8886429675
Fax: 571-434-4620
13200 Woodland Park Drive
Herndon, VA 20171-3025
US

Status: Locked

Name Servers:
SHARK01.TREKDATA.COM
SHARK02.TREKDATA.COM

Websites.
  1. Cbssporytsline.com
  2. Clickeight.com
  3. Comparedates.com
  4. Costumesfor1andall.com
  5. Cursorgizmo.com
  6. Dategizmo.net
  7. Datinggizmo.net
  8. Datingizmo.com
  9. Datingizmo.net
  10. Edatamedic.com
  11. Errornuker.com
  12. Evidencenuker.com
  13. Extremeintelligencesoftware.com
  14. Filerd.com
  15. Flamingoagogo.com
  16. Giftsforzips.com
  17. Giftsforzips.net
  18. Hackernuker.com
  19. Inac.com
  20. Inacid.com
  21. Nuker.com
  22. Nuker1.com
  23. Pcorion.com
  24. Pctv4me.com
  25. Pctv4u.com
  26. Popup-nuker.com
  27. Recipe-network.com
  28. Sailhousepublishing.com
  29. Spamnuker.com
  30. Spycide.com
  31. Spyhear.com
  32. Spyraid.com
  33. Spywareinvader.com
  34. Spywarenuker.com
  35. Themontanas.com
  36. Threatnuker.com
  37. Top10softwarereview.com
  38. Trek8.com
  39. Trek8games.com
  40. Trekblue.com
  41. Trekdata.com
  42. Trekeight.com
  43. Tucsonsignanddesign.com
  44. Virtualbambiland.com
  45. Wayweird.com
Kimberly
Aug 1 2008, 06:27 PM
<h4>
196.32.220.3/0.exe
</h4>
Copies itself as %windir%\services.exe.
Modifies settings related to the firewall.
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile "EnableFirewall"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile "EnableFirewall"
Type: REG_DWORD
Data: 00, 00, 00, 00
Grants itself access when using the XP firewall.
Disables the following services.
  • ALG
  • SharedAccess
  • wscsvc
Misc Registry changes
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services "del"
Type: REG_SZ
Data:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "host"
Type: REG_SZ
Data: 206.51.226.211
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "id"
Type: REG_SZ
Data: 775576643785
Requests Internet Access.
IPB Image
A DNS lookup on the following domains is performed. Able to send out email message(s) with the built-in SMTP client engine.
  • 206.51.226.211
  • mail.hotmail.com
  • mail.yahoo.com
  • mail.google.com
  • mail.mail.com
IPB Image
Periodically checks if an updated version of itself is available.
CODE
GET /0.exe HTTP/1.0
Accept: */*
If-Modified-Since: Wed, 30 Jul 2008 05:27:00 GMT
If-None-Match: "1468cde-a600-17b3100"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 196.32.220.3
~~~~~~~~~~: ~~~~~~~~~~

HTTP/1.1 304 Not Modified
Date: Fri, 01 Aug 2008 16:04:55 GMT
Server: Apache/2.2.6 (Fedora)
Connection: close
ETag: "1468cde-a600-17b3100"
Note: %windir% is a variable that refers to the windows folder. By default, this is C:\Windows (Windows 95/98/Me,Windows XP), C:\Winnt\ (Windows NT/2000)

Visible signs.

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
You will also notice several instances of services.exe and cmd.exe running
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
....
rootkitscan (simple mode).

QUOTE
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-01 20:17:42
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.14 ----

.idata C:\WINDOWS\services.exe[184] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[200] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[212] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[304] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1012] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1036] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1064] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1748] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1760] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[1884] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]
.idata C:\WINDOWS\services.exe[2132] C:\WINDOWS\services.exe unknown last section [0x00415000, 0x1000, 0xC0000040]

<h4>
File details
</h4>
Filename: services.exe

File size: 42496 bytes
MD5...: 82f3d97d877944e5f40dea0f68913bde
SHA1..: 6f665fe9e89aa34c076ff743e2ac8d0d79f866a0
SHA256: 884d891ba532ae640c22e48fc1a7fadf71f82789e829f383eb32fe6d6739fcc8
PEiD..: -
QUOTE
File services.exe received on 08.01.2008 15:11:38
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.08.01 Generic_r.E
BitDefender 7.2 2008.08.01 -
CAT-QuickHeal 9.50 2008.07.31 TrojanProxy.Small.uh
ClamAV 0.93.1 2008.08.01 -
DrWeb 4.44.0.09170 2008.08.01 Trojan.Packed.573
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.6001 2008.08.01 Win32/Meldsimp.CX
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 Trojan-Proxy.Win32.Small.uh
Fortinet 3.14.0.0 2008.08.01 W32/TibsPk.A!tr
GData 2.0.7306.1023 2008.08.01 Trojan-Proxy.Win32.Small.uh
Ikarus T3.1.1.34.0 2008.08.01 Trojan.Crypt.XPACK
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 Trojan-Proxy.Win32.Small.uh
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3317 2008.08.01 Win32/TrojanProxy.Small.NCA
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 Cloaked Malware
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 Mal/TibsPk-F
Sunbelt 3.1.1537.1 2008.08.01 Trojan-Proxy.Win32.Small.uh
Symantec 10 2008.08.01 Packed.Generic.57
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.8.1.1321 2008.08.01 Trojan.Win32.Proxy.42496.I
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 Trojan.Crypt.XPACK.Gen
Kimberly
Aug 11 2008, 12:36 AM
Another suject is actively circulating and poses as a fake Internet Explorer 7 update.
Subject: Internet Explorer 7
Body: Download the latest version!
IPB Image
The link leads to [hacked domain]/update.exe.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.