Content Migration

September 25, 2008

Everyone,

The content of this blog will be moving to http://pandalabs.pandasecurity.com. Therefore, you can find new and interesting posts at http://pandalabs.pandasecurity.com or www.pandalabs.com for this point on.


New Celebrity Spam – Fake Security Product Installed (AV XP 2008)

August 28, 2008

This morning the Celebrity spam campaign continued with a few new fake video codec sites delivering a downloader Trojan designed to install a fake security product known as AntiVirus XP 2008. It’s apparent now that a number of these spam campaigns are only interested solely in distributing this one particular fake security product. The file downloaded is called video99.exe or video66.exe and varies depending on the email message and the site used (HTML page names often correspond to the binary used index99.html, index66.html, etc).

Some of the subject lines of this particular spam campaign is:

“John McCain to Paris Hilton: Cosmo, baywatch!”

“Britney Spears Shaves Head at Request of Zombie Overlord”


Statement of Fees Malspam Campaign (AV XP 2008)

August 28, 2008

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.


Fake Nero Anti-Virus Pro 2009 (AV XP 2008)

August 25, 2008

This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.

When we look at this further it appears the same group behind the attacks that delivered the fake CNN Alerts and MSNBC alerts could have also been behind this latest round as well. Over the last couple of weeks a large number of emails have been sent that in some degree installed the AV XP 2008 (i.e. fake I.E Update, some of the CNN alerts, celebrity videos).

File size: 194560 bytes
MD5…: 7d9aabd47d2e6253dda74bcb46782007
SHA1..: c1914bf80e9fcff154672254f5c1ca3ce116f869
SHA256: b7bfa0f8e1932f83a746d0f7db131460ccd92b8a0c248d8d3bc0894bf015c39d
SHA512: e802598191365c28be0f94e2aff2cae2e715cd372f8b057115af630240286c08
32f4cb7c834b306e0c501b66252eb7e44862ea8f1731c5ad36401c27be52100d


Fake IE 7.0 Update: Full Analysis

August 7, 2008

Antivirus XP 2008 is currently detected on 1.68% of all PCs scanned and is ranked as 3rd in active malware. The application causes extreme annoyance, system performance degradation – mainly through pop-up messages, registry keys and spawning a large volume of files. 
 
The unfortunate part for end-users is the vector for delivery of this application is through false Google sponsored links and maliciously influenced search results. In other words the user believes he is downloading an application to fix threats that an online web-page detected on his PC, thus, the after effects are quite similar to the behavioral traits of other parasites (system resource consumption, popup messages, browser hi-jacking, etc).

The analysis method used for capturing these behavioral traits is an automatic sandbox for recording application behavior.
 
Here is the full analysis of the application in terms of behavioral traits on the system (process, file and registry activity):
 
MD5 Hash: ef99ebb8e1699733b3bd1de7de2a0da1
Main Process: file.exe
 
Spawned Processes:
 
C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\Owner\Local Settings\Temp\.tt7.tmp.vbs
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp /AID=e354dd6a773d899336c058fb89fce801
wscript //B C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 Antivirus XP 2008.lnk
wscript //B C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 Register Antivirus XP 2008.lnk
C:\WINDOWS\system32\cmd.exe /c bgjm.bat C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe
C:\WINDOWS\system32\pphca37j0ep3a.exe
Registry Activity:
HKEY_LOCAL_MACHINE\Software\rhce37j0ep3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\rhce37j0ep3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirXP08
File Activity (created files):
 
C:\WINDOWS\system32\blphca37j0ep3a.scr
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsh19.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\MachineKey.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\update.ini
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\lastpage.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk 
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe
C:\Program Files\rhce37j0ep3a\database.dat
C:\Program Files\rhce37j0ep3a\msvcp71.dll
C:\Program Files\rhce37j0ep3a\MFC71.dll
C:\Program Files\rhce37j0ep3a\MFC71ENU.DLL
C:\Program Files\rhce37j0ep3a\msvcr71.dll
C:\Program Files\rhce37j0ep3a\license.txt
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe.local
C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs
C:\Program Files\rhce37j0ep3a\Uninstall.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\KillSelf.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\WINDOWS\system32\pphca37j0ep3a.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\compress.dat


Christian Bale and Paris Hilton Spam

August 3, 2008

This morning some more Spam messages appeared using the subject line of “Christian Bale Agrees to Next Batman Film“. Obviously with the record breaking success of Batman the Dark Night, some users may actually open the message and click the link within the body. The body of the text is even more interesting in which it claims that a hostile takeover occurred with the Hilton hotel chain that forced Paris Hilton off the board (something that could be believable).

This is a continuation of real web-sites being hacked to host the codec based malware with the similar executable name that loads when the page is visited. The URL contained in the message will load the get_flash_update.exe. To make the executable unique small byte changes are likely occurring to spawn new malware.

 

The site hacked:

 

http://www.virustotal.com/analisis/c78bb5bf186922c7422d701a490ea032

File size: 74752 bytes
MD5…: 826d8bf46dae92264827c27886cc619a
SHA1..: cc7c1fba4336d9d40105631e1c2ada90cc52cdae
SHA256: 8d8da63fbdaf7669493b3d2c541ca3123425a3720fb234dac501238c0ede57be
SHA512: eeb3872990a7121d2ff89f57b978ec38930ba7e9963621d7c406a036616bc141
041d09a9fac9881362c94ab59a131a556a2984f32552b8091d933563a0711f5c
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402478
timedatestamp…..: 0x48906aef Wed Jul 30 13:21:51 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd8e5 0xbc00 8.00 d61d03c3db26a141fed348c71d312881
.rdata 0xf000 0x3929 0x2200 7.98 112527e7fd66706dac97d8b2403a3fcd
.data 0x13000 0x2dd2 0x600 7.87 34c7b63bbb6bf98fc3b7563572896954
.rsrc 0x16000 0x5000 0x3000 6.42 315be9e2026e1d72c1e8a8f671fa78f7

( 3 imports )
> WININET.DLL: GopherFindFirstFileA, GopherOpenFileW, FtpGetFileW, FreeUrlCacheSpaceA, HttpQueryInfoA
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken

( 0 exports )


Angelina Jolie Spam

July 30, 2008

This morning I discovered a very interesting email in one of our spam sensors in the US. This message is claiming to show the viewer a nude video of Angelina Jolie. However, the link directs you to a website hosting a malicious Trojan.

http://www.virustotal.com/analisis/73bed1ec0c96beaa59fc9abb7f9ad01f

File size: 148992 bytes
MD5…: a7e316a7ebc0a90f1d278d63f500e79f
SHA1..: 454fa925c9c1de565e463b4763f8faee4376df94
SHA256: 1bdc9ff03f7910d24d86871d4ea9a3c1552862bfe2eaf26d2074b4098a249656
SHA512: 394d073de2bbddc427f618dc76566ceafc1df88aed296eca63a5f6e617c80327
2e87bea78a7a8288e17edac26ab1015719e258496a5a48df35c6bc654abf5fd8
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401b4e
timedatestamp…..: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x29000 0x1000 5.40 f234efda261d13d094fdac23c9cdbdd2
.data 0x2a000 0x23000 0x22800 7.78 284c37f82871fbc931d83b2b56ef9a00
.idata 0x4d000 0x1000 0xa00 4.61 bb5a25aa473903b9f4c49879669f77ea

( 4 imports )
> KERNEL32.dll: WritePrivateProfileStringW, GetLastError, GetSystemTime, SetEndOfFile, CallNamedPipeA, SetConsoleTitleA, VirtualProtect, WriteFileEx, Process32FirstW, ReadConsoleOutputCharacterW, SetConsoleMode, OpenJobObjectA, FlushViewOfFile
> USER32.dll: SetCursor, SetLayeredWindowAttributes, WINNLSGetIMEHotkey, FindWindowExA, InSendMessage, SetCursorPos, WaitForInputIdle, GetClipboardFormatNameA, LoadCursorFromFileW, GetThreadDesktop, SetClipboardViewer, SetDeskWallpaper, SetProgmanWindow, IsDialogMessage, EndDeferWindowPos, ShowScrollBar, WCSToMBEx, LoadAcceleratorsA, UpdateLayeredWindow, RegisterWindowMessageW, ScrollWindowEx, GetDialogBaseUnits, ModifyMenuW, CheckDlgButton, CreateWindowExW, OpenWindowStationA, ToUnicode, BlockInput, wsprintfA, GetMouseMovePointsEx, SendMessageTimeoutA, GetLastInputInfo, DlgDirSelectExW, DdeQueryStringA, ClientToScreen, IsCharAlphaNumericA
> GDI32.dll: GetKerningPairsW, ExtTextOutW, XLATEOBJ_cGetPalette, CreateBitmap, GdiCreateLocalMetaFilePict, EngComputeGlyphSet, WidenPath, GetStringBitmapA, PolyTextOutA, ScaleWindowExtEx, FlattenPath, EngDeleteSurface, SelectClipRgn, SetMapperFlags, GetCurrentPositionEx, ExtCreatePen, CreatePalette
> COMDLG32.dll: PageSetupDlgW, WantArrows, ReplaceTextW, PrintDlgW, GetSaveFileNameA, GetOpenFileNameA, ChooseColorW, LoadAlterBitmap, PrintDlgExA, ChooseFontW