UPS notify!

Subject: UPS notify
Attachment: parcel

UPS notify
The email contained an attachment, parcel Within this zip file was an executable with the following properties:

Name: Parcel information.exe
MD5: 0eadfb37c6664ae671d50787bc6b9e28
Size: 47,616 bytes

This payload is identified as a Gamarue downloader, a bot-controllerd worm. It injects itself into a new svchost.exe process. It then makes a self-copy at:

It adds a registry entry to ensure that the executable runs with each system restart:

61309 – “C:\WINDOWS\system32\wuauclt.exe”

It then queries A records from Google’s public DNS (at IP address for the domain napasaran[.]ru. This domain is hosted at IP addresses,, and

The following network traffic is then observed:

POST /and/image.php HTTP/1.1
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Connection: close


The infected computer then downloads and installs file /test.exe. This is Security Shield rogue AV with the following properties:

MD5: 6ebb20543e371d72e807a62c897685d5
Size: 349,696 bytes
Timestamp: 2011:10:25 21:34:24+02:00

Security Shield AV

Next, it downloads apartmentsincorfu[.]gr /888.exe. This domain is hosted at
This is a Wibimo spambot with the following properties:

MD5: 4162b8bceb3f4ceb97519f92e54c7f4c
Size: 27,136 bytes
Timestamp: 2011:11:21 11:45:32+01:00

It is installed as:

MD5: 03142b3993c6f8c530eb2a943173a20b
Size: 13,824 bytes

It connects to a C&C at grabsfakus[.]com:1001. This domain is hosted at 3 IP addresses:, and This domain was registered by Other domains registered by same mail ID:


The spambot immediately began its spam campaign of “Best quality drugs” as shown below:


USPS – Fast Delivery Shipping 1-4 day USA
Best quality drugs
Fast Shipping USA
Professional packaging
100% guarantee on delivery
Best prices in the market
Discounts for returning customers
FDA approved productas
35000+ satisfied customers


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: