B.I.S.S. Forums > Spam: Western Union Transfer

Full Version: Spam: Western Union Transfer

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

May 26 2009, 08:36 PM

Subject / From

Subject: Western Union Transfer MTCN: 3423932642
From: "Western Union Support Team" support@westernunion.com

Body

Dear Client!

The money transfer you have sent on the 15th of March hasn't been collected by the recipient.
According to the Western Union treaty the transfers which are not received in 15 business days are to be returned to sender.
To collect funds you need to print the invoice attached to this letter and visit the nearest Western Union agency.

Thank you!

Mail

Once unzipped, the executable poses as an Excel document in order to mislead people.

Filename: WesternUnion_TR0002212.exe

File size: 52224 bytes
MD5...: c17e6929f32dd05d718c83c2aae219bb
SHA1..: 87e5e472a509a3f2a8eed1aefb8b6599616597c9
SHA256: f01eaf59b4011b1d7733101f2c76dcbb563faa825927e8dadd421a42ddeadd52
PEiD..: -

QUOTE
File WesternUnion_TR0002212.exe received on 2009.05.26 18:55:57 (UTC)
a-squared 4.0.0.101 2009.05.26 Trojan-Downloader.Win32.Bredolab!IK
AhnLab-V3 5.0.0.2 2009.05.26 -
AntiVir 7.9.0.168 2009.05.26 TR/Drop.Zbot.B
Antiy-AVL 2.0.3.1 2009.05.26 -
Authentium 5.1.2.4 2009.05.26 W32/Trojan3.AXA
Avast 4.8.1335.0 2009.05.26 -
BitDefender 7.2 2009.05.26 Gen:Trojan.Heur.3004FB9EBC
CAT-QuickHeal 10.00 2009.05.26 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.05.26 -
Comodo 1203 2009.05.26 -
eSafe 7.0.17.0 2009.05.26 Win32.TrojanDownload
eTrust-Vet 31.6.6522 2009.05.26 -
F-Prot 4.4.4.56 2009.05.26 W32/Trojan3.AXA
Fortinet 3.117.0.0 2009.05.26 -
GData 19 2009.05.26 Gen:Trojan.Heur.3004FB9EBC
Ikarus T3.1.1.57.0 2009.05.26 -
K7AntiVirus 7.10.745 2009.05.26 -
Kaspersky 7.0.0.125 2009.05.26 Trojan.Win32.Agent.cjef
McAfee 5627 2009.05.26 -
McAfee+Artemis 5627 2009.05.26 Artemis!C17E6929F32D
McAfee-GW-Edition 6.7.6 2009.05.26 Trojan.Drop.Zbot.B
NOD32 4106 2009.05.26 -
Norman 6.01.05 2009.05.26 -
nProtect 2009.1.8.0 2009.05.26 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.26 -
Sophos 4.42.0 2009.05.26 Troj/Dloadr-CMT
Sunbelt 3.2.1858.2 2009.05.25 -
Symantec 1.4.4.12 2009.05.26 Trojan Horse
TheHacker 6.3.4.3.332 2009.05.26 -
TrendMicro 8.950.0.1092 2009.05.26 -
VBA32 3.12.10.6 2009.05.26 -
ViRobot 2009.5.26.1753 2009.05.26 -
VirusBuster 4.6.5.0 2009.05.26 -

Registry Modifications

The following Registry Keys and Values were created:
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
%Windir%\explorer.exe = "EnableNXShowUI"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
RunGrpConv = 0x00000001
The following Registry Values were modified:
QUOTE
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility]
AppCompatCache = EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00 ......

Folders added

QUOTE
%Temp%\WERbab7.dir00

Files added

QUOTE
%AppData%\wiaserva.log 0 bytes
%Temp%\WERbab7.dir00\appcompat.txt 16,296 bytes
%Temp%\WERbab7.dir00\explorer.exe.hdmp 0 bytes
%Temp%\WERbab7.dir00\explorer.exe.mdmp 59,849 bytes
%Temp%\WERbab7.dir00\manifest.txt 1,980 bytes
%System%\wbem\grpconv.exe 52,224 bytes

Files deleted

QUOTE
%System%\grpconv.exe

Note: %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Outbound connections

dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

dollarpoint.ru - 91.212.158.100

type: CORPORATE
nserver: ns1.dollarpoint.ru. 91.212.158.100
nserver: ns2.dollarpoint.ru. 91.212.158.100
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 928 55455579
e-mail: support@dollarpoint.ru
registrar: NAUNET-REG-RIPN
created: 2009.05.25
paid-till: 2010.05.25
source: TC-RIPN

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.