B.I.S.S. Forums > Spam: Countrywide Bank - Important Customer Information *

Full Version: Spam: Countrywide Bank - Important Customer Information *

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Kimberly

Oct 29 2008, 04:31 AM

Subject.

Important Customer Information *

Body.

Countrywide Bank
Important:

Protecting personal and account information of our customers' is a priority for Countrywide and its family of companies. We recognize that this information is critical to you and, to that end, we follow procedures to reasonably ensure the accuracy of your records.

We inform you that your online banking account is about to expire. It is strongly recommended to update it as soon as possible. You can do it immediately using the link specified:

Continue to account update form >>>

However, failure to confirm your records may result in account suspension.
This message has been generated automatically, please do not reply.

Sincerely, Countrywide Customer Service

Website.

While the website is loading, a file is downloaded and executed on the computer. We are immediately shown an adult webpage then.

Details

Registry changes.

QUOTE
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32 "(Default)"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\WINDOWS\system32\stobject.dll
New data: C:\DOCUME~1\KLY\LOCALS~1\Temp\\shell32.dll

Files.

QUOTE
c:\Documents and Settings\KLY\Local Settings\Temp\123.info
Date: 10/29/2008 5:14 AM
Size: 61 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\shell32.dll
Date: 10/29/2008 5:14 AM
Size: 5,120 bytes

Filename: ~8vtt0e.exe

File size: 8192 bytes
MD5...: 8f27b80755d7507ca74ab0d322377d0b
SHA1..: f7d9c2fa062e06cfee174e3f6b5f07cdf696c134
SHA256: bb92ea5b9eae6d10bcec2d06a4e478971ccdef0d1104c5f379110f0f012da3df
PEiD..: -

QUOTE
File _8vtt0e.exe received on 10.29.2008 04:58:56 (CET)
AhnLab-V3 2008.10.28.3 2008.10.28 -
AntiVir 7.9.0.10 2008.10.28 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.10.28 W32/Ristix.A
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.28 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6178 2008.10.29 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 W32/Zbot.I.gen!Eldorado
F-Secure 8.0.14332.0 2008.10.29 Suspicious:W32/Malware!Gemini
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.510 2008.10.28 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3564 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 Suspicious file
PCTools 4.4.2.0 2008.10.28 -
Prevx1 V2 2008.10.29 Suspicious
Rising 21.01.20.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 Trojan.Crypt.XPACK.Gen
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.28 PAK_Generic.001
VBA32 3.12.8.8 2008.10.28 suspected of Win32 Shadow Socket Open
ViRobot 2008.10.29.1442 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -

Filename: shell32.dll

File size: 8192 bytes
File size: 5120 bytes
MD5...: 8fbdc2da2714fb72a8395f2fc1766523
SHA1..: 01ef9f388e6930a275651e4bc0bc4f2afbdab4ce
SHA256: f0ea405bf9e99cbe51c14d530dee5f2f26da0d0d46bb02bef564609384837881
PEiD..: -

QUOTE
File shell32.dll received on 10.29.2008 05:23:18 (CET)
AhnLab-V3 2008.10.28.3 2008.10.28 -
AntiVir 7.9.0.10 2008.10.28 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.29 -
BitDefender 7.2 2008.10.29 -
CAT-QuickHeal 9.50 2008.10.28 -
ClamAV 0.93.1 2008.10.29 -
DrWeb 4.44.0.09170 2008.10.29 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6178 2008.10.29 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.29 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.29 -
Ikarus T3.1.1.44.0 2008.10.29 -
K7AntiVirus 7.10.510 2008.10.28 -
Kaspersky 7.0.0.125 2008.10.29 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.29 -
NOD32 3564 2008.10.29 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.29 Suspicious file
PCTools 4.4.2.0 2008.10.28 -
Prevx1 V2 2008.10.29 Suspicious
Rising 21.01.20.00 2008.10.29 -
SecureWeb-Gateway 6.7.6 2008.10.29 -
Sophos 4.35.0 2008.10.29 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.29 -
TheHacker 6.3.1.1.133 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.28 -
VBA32 3.12.8.8 2008.10.28 suspected of Win32 Shadow Socket Open
ViRobot 2008.10.29.1442 2008.10.29 -
VirusBuster 4.5.11.0 2008.10.28 -

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.