Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name:
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://

MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp:// It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://
2. hxxp://
3. hxxp://
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: