This morning some more Spam messages appeared using the subject line of “Christian Bale Agrees to Next Batman Film“. Obviously with the record breaking success of Batman the Dark Night, some users may actually open the message and click the link within the body. The body of the text is even more interesting in which it claims that a hostile takeover occurred with the Hilton hotel chain that forced Paris Hilton off the board (something that could be believable).
This is a continuation of real web-sites being hacked to host the codec based malware with the similar executable name that loads when the page is visited. The URL contained in the message will load the get_flash_update.exe. To make the executable unique small byte changes are likely occurring to spawn new malware.
The site hacked:
http://www.virustotal.com/analisis/c78bb5bf186922c7422d701a490ea032
File size: 74752 bytes
MD5…: 826d8bf46dae92264827c27886cc619a
SHA1..: cc7c1fba4336d9d40105631e1c2ada90cc52cdae
SHA256: 8d8da63fbdaf7669493b3d2c541ca3123425a3720fb234dac501238c0ede57be
SHA512: eeb3872990a7121d2ff89f57b978ec38930ba7e9963621d7c406a036616bc141
041d09a9fac9881362c94ab59a131a556a2984f32552b8091d933563a0711f5c
PEiD..: –
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x402478
timedatestamp…..: 0x48906aef Wed Jul 30 13:21:51 2008
machinetype…….: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd8e5 0xbc00 8.00 d61d03c3db26a141fed348c71d312881
.rdata 0xf000 0x3929 0x2200 7.98 112527e7fd66706dac97d8b2403a3fcd
.data 0x13000 0x2dd2 0x600 7.87 34c7b63bbb6bf98fc3b7563572896954
.rsrc 0x16000 0x5000 0x3000 6.42 315be9e2026e1d72c1e8a8f671fa78f7
( 3 imports )
> WININET.DLL: GopherFindFirstFileA, GopherOpenFileW, FtpGetFileW, FreeUrlCacheSpaceA, HttpQueryInfoA
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken
( 0 exports )