New Celebrity Spam – Fake Security Product Installed (AV XP 2008)

August 28, 2008

This morning the Celebrity spam campaign continued with a few new fake video codec sites delivering a downloader Trojan designed to install a fake security product known as AntiVirus XP 2008. It’s apparent now that a number of these spam campaigns are only interested solely in distributing this one particular fake security product. The file downloaded is called video99.exe or video66.exe and varies depending on the email message and the site used (HTML page names often correspond to the binary used index99.html, index66.html, etc).

Some of the subject lines of this particular spam campaign is:

“John McCain to Paris Hilton: Cosmo, baywatch!”

“Britney Spears Shaves Head at Request of Zombie Overlord”


Celebrity Spam out of control

August 22, 2008

We have been tracking a number of spam messages over the last couple of days pertaining to celebrities involved in a number of odd and unexplained activities. The binary file being delivered in this latest spam run involving Paris Hilton is stream.exe which is meant to lure a user into executing the file hidden behind the link, thus, the user thinking he/she will be viewing a video is actually getting a Trojan. Stream.exe is identified as a varient of Trj/Exchanger:

File size: 78848 bytes
MD5…: a3aec9130af6f69c715dc6eb89949079
SHA1..: 57049307751ccdd5c870195ed2ae9f6efd0423ba
SHA256: 686ef0819874b2ecacab497e2c818e0e801fc42a920068a33e415dd1801a0c3f
SHA512: be98df1cea7a840b3bc46e3512ceeea5ad94b9af8b04ccf1ecf54de41b0036f4

Christian Bale and Paris Hilton Spam

August 3, 2008

This morning some more Spam messages appeared using the subject line of “Christian Bale Agrees to Next Batman Film“. Obviously with the record breaking success of Batman the Dark Night, some users may actually open the message and click the link within the body. The body of the text is even more interesting in which it claims that a hostile takeover occurred with the Hilton hotel chain that forced Paris Hilton off the board (something that could be believable).

This is a continuation of real web-sites being hacked to host the codec based malware with the similar executable name that loads when the page is visited. The URL contained in the message will load the get_flash_update.exe. To make the executable unique small byte changes are likely occurring to spawn new malware.


The site hacked:

File size: 74752 bytes
MD5…: 826d8bf46dae92264827c27886cc619a
SHA1..: cc7c1fba4336d9d40105631e1c2ada90cc52cdae
SHA256: 8d8da63fbdaf7669493b3d2c541ca3123425a3720fb234dac501238c0ede57be
SHA512: eeb3872990a7121d2ff89f57b978ec38930ba7e9963621d7c406a036616bc141
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402478
timedatestamp…..: 0x48906aef Wed Jul 30 13:21:51 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd8e5 0xbc00 8.00 d61d03c3db26a141fed348c71d312881
.rdata 0xf000 0x3929 0x2200 7.98 112527e7fd66706dac97d8b2403a3fcd
.data 0x13000 0x2dd2 0x600 7.87 34c7b63bbb6bf98fc3b7563572896954
.rsrc 0x16000 0x5000 0x3000 6.42 315be9e2026e1d72c1e8a8f671fa78f7

( 3 imports )
> WININET.DLL: GopherFindFirstFileA, GopherOpenFileW, FtpGetFileW, FreeUrlCacheSpaceA, HttpQueryInfoA
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken

( 0 exports )