More Trojans hiding behind false celebrity videos

It appears that another spam campaign has surfaced with the intention of enticing users into opening messages with tag lines such as “Failure Notice” and “Your Order is Executed” or “Your Order”. However, when you look at the message body, it presents something entirely different such as “Angelina Jolie Nude” or “Jennifer Lopez Extremely Naked” all in the form of links that have Trojans hiding behind them. In the example below the link will download a false AVI codec.

Here is what was hiding behind this link at a Website.

http://www.virustotal.com/analisis/0bd3eb3d643f44c8fc3abf4e523260a2

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b Fri Jul 11 14:18:03 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b Fri Jul 11 14:18:03 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b (Fri Jul 11 14:18:03 2008)
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

Advertisements

One Response to More Trojans hiding behind false celebrity videos

  1. evilcodecave says:

    Hello,

    Nice to see another Malware Analysis Blog!

    Keep it updated!!!

    Regards,
    Giuseppe ‘Evilcry’ Bonfa’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: