ADP Recent Transaction

We analyzed following malicious attachment that is used in ADP themed spam on February 07 & 08 2013:

Spam Template:

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #239814359000

This e-mail has been sent from an automated system.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.


File: ADP – Recent Transaction
MD5: c8b3ea47a1f2080dbede84a9f7940de7
Size: 131,584 bytes

Pony downloader posts to its dropzone at hxxp:// It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://
2. hxxp://
3. hxxp://

Gameover installes in %APPDATA%\Ybna\unyfl.exe and had following file properties:

File: ylkas.exe
Size: 359,936 bytes
MD5: 53cf45f6ab62b633393924b86b6c8d76
Time-Stamp: 2013-02-05 20:09:27
Company Name: Microsoft Corporation
File Description: Microsoft Windows Setup Utility
File Version:
Internal Name: a6ize
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Original Filename: a6ize
Product Name: Microsoft(R) Windows Media Player
Product Version:

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “dotmanf8”.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: