New Celebrity Spam – Fake Security Product Installed (AV XP 2008)

August 28, 2008

This morning the Celebrity spam campaign continued with a few new fake video codec sites delivering a downloader Trojan designed to install a fake security product known as AntiVirus XP 2008. It’s apparent now that a number of these spam campaigns are only interested solely in distributing this one particular fake security product. The file downloaded is called video99.exe or video66.exe and varies depending on the email message and the site used (HTML page names often correspond to the binary used index99.html, index66.html, etc).

Some of the subject lines of this particular spam campaign is:

“John McCain to Paris Hilton: Cosmo, baywatch!”

“Britney Spears Shaves Head at Request of Zombie Overlord”

Advertisements

Fake Windows XP Vista Update – Installs AV XP 2008

August 28, 2008

This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.

File size: 203776 bytes
MD5…: 0f44ed00c0b67d9e5062b8e2c3574345
SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6
SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07
SHA512: b1b437a2df0023e1af019e6a06c31d298063f156819ea5b1de4047ad5766c6f8
00db13161056c7db223737cfc8fe00ce58d7756ebe33e4042627d6c9fbee8a6f
PEiD..: –
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)


Statement of Fees Malspam Campaign (AV XP 2008)

August 28, 2008

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.


New Fake Video Site distributing AV XP 2008

August 27, 2008

Spammers continue their efforts today with another round of celebrity oriented spam designed to entice users into watching a non-existent video. The fake video site exhibits the same behavior found in the CNN and MSNBC spam attacks covered earlier this month (i.e. a popup message indicates that the ActiveX movie control is out of date and the user is required to install an update to properly view the video).

The executable the user is forced into downloading and installing is known as install.exe or classified as a malicious Trojan – Trj/Exchanger (this particular threat will install AntiVirus XP 2008). It is apparent that the spammers are very interested in getting a large number of users to install and use false security products such as AV XP 2008 and it’s variants in an effort to generate revenue.


Fake Nero Anti-Virus Pro 2009 (AV XP 2008)

August 25, 2008

This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.

When we look at this further it appears the same group behind the attacks that delivered the fake CNN Alerts and MSNBC alerts could have also been behind this latest round as well. Over the last couple of weeks a large number of emails have been sent that in some degree installed the AV XP 2008 (i.e. fake I.E Update, some of the CNN alerts, celebrity videos).

File size: 194560 bytes
MD5…: 7d9aabd47d2e6253dda74bcb46782007
SHA1..: c1914bf80e9fcff154672254f5c1ca3ce116f869
SHA256: b7bfa0f8e1932f83a746d0f7db131460ccd92b8a0c248d8d3bc0894bf015c39d
SHA512: e802598191365c28be0f94e2aff2cae2e715cd372f8b057115af630240286c08
32f4cb7c834b306e0c501b66252eb7e44862ea8f1731c5ad36401c27be52100d


Celebrity Spam out of control

August 22, 2008

We have been tracking a number of spam messages over the last couple of days pertaining to celebrities involved in a number of odd and unexplained activities. The binary file being delivered in this latest spam run involving Paris Hilton is stream.exe which is meant to lure a user into executing the file hidden behind the link, thus, the user thinking he/she will be viewing a video is actually getting a Trojan. Stream.exe is identified as a varient of Trj/Exchanger:

File size: 78848 bytes
MD5…: a3aec9130af6f69c715dc6eb89949079
SHA1..: 57049307751ccdd5c870195ed2ae9f6efd0423ba
SHA256: 686ef0819874b2ecacab497e2c818e0e801fc42a920068a33e415dd1801a0c3f
SHA512: be98df1cea7a840b3bc46e3512ceeea5ad94b9af8b04ccf1ecf54de41b0036f4
cb130a9d613aa7f0d0ce96a23dec5410e73ec76cdc795a5528ea1d6dc261d5f1


Fake Anti-Virus Spam

August 21, 2008

This morning we detected another malspam campaign this time focusing on delivering the rouge anti-virus application XP AntiVirus 2008. This particular application has been used numerous times before as the malspam payload to infect users and has been seen in some of the CNN alerts, MSNBC, IE 7.0 attack, etc. The idea here is to trick users into executing the setup application that when subsequently installed will prompt the user with popups informing them they need to upgrade to the professional version by providing fake information concerning threats found.

File size: 187904 bytes
MD5…: 1b5d201be2f98b55b160e53ffc25f984
SHA1..: 1cd25f2906147536ab2901f20c85cfea25b67c0d
SHA256: af881a4dabb768d42ce40e44aa4903c25d3b9bc2d548fcb81f3ef225ee962a01
SHA512: a7c9497584017b5219d23fab7e6aebf99229c4f3a678a865647280afdcab94d5
e1dbd3a700e47c26d413c6c20f6f48a6d3f95a2956a0a23ac6bf7a6d34d8d45d