Following is a sample e-mail:
From: "UPS Service" {fake address @ recipient's ISP or e-mail provider}
Subject: UPS Delivery Problem
Date: November 5, 2009
Dear customer!If an unsuspecting individual opens the attachment, the malware copies itself with the file name "reader_s.exe" to the user's profile folder (e.g. C:\Documents and Settings\User\reader_s.exe) and to the system folder (e.g. C:\Windows\system32\reader_s.exe) and registers itself as a startup item in the registry. It phones home to multiple IP addresses on port 80 (see a list below).
Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.
Attachment: inv.zip (22,317 bytes)
Initial detection of the malware was somewhat low; the earliest VirusTotal report I could find showed that 18 out of 40 major antivirus engines detected this threat (a good demonstration of why it's never a good idea to open a suspicious attachment; you can't count on your antivirus software to detect all malware, especially new samples). The sample is currently detected by nearly all antivirus software. Most of the following information is courtesy of VirusTotal:
File name: inv.exe (it has also been submitted to Prevx as reader_s.exe, winner.exe, photo.exe, etc.)ThreatExpert behavioral analysis:
File size: 51200 bytes
MD5...: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1..: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731
37/40 detection rate as of 2009.11.09 10:26:55 (UTC)
Variously identified as: Backdoor.Small.CPDR, Backdoor.Small.zs, Backdoor.Win32.Small.51200.D, Backdoor.Win32.Small.zs, Backdoor/W32.Small.51200, Cutwail, Heur.Suspicious, High Risk Cloaked Malware, SHeur2.BPZQ, TR/Crypt.XPACK.Gen, Trj/Downloader.MDW, TROJ_AGENT.AWYQ, Troj/Agent-LNC, Trojan-Downloader.Win32.Small, Trojan:W32/Cutwail.CW, Trojan.Crypt.XPACK.Gen, Trojan.Cutwail.Z, Trojan.DownLoad.37236, Trojan.Downloader-81329, Trojan.Pandex, Trojan.Win32.Generic!SB.0, Trojan.Win32.Generic.51F056EF, Trojan.Win32.Malware.1, TrojanDownloader:Win32/Cutwail.gen!C, TrojanDownloader.Adload.gpa, W32/Cutwail.C!tr.dldr, W32/Smalltroj.UMSB, W32/Trojan3.BLY, Win32:Malware-gen, Win32/Cutwail.AVH, Win32/Wigon
http://www.threatexpert.com/report.aspx?md5=3b9c3d653c3e5cb40c93e9599ee507de
Anubis behavioral analysis:
http://anubis.iseclab.org/?action=result&task_id=190104cdf50c547945dee873bc504a3ea
Prevx report which includes additional file names:
http://info.prevx.com/aboutprogramtext.asp?PX5=9A2D0213008907A0C81100571FB790000D9B48BD
See also the Web of Trust (WOT) reports for several IPs to which this malware phones home (IP block owners in parenthesis):
http://www.mywot.com/en/scorecard/61.158.167.52 (China Unicom)
http://www.mywot.com/en/scorecard/61.158.167.59 (China Unicom)
http://www.mywot.com/en/scorecard/69.162.117.50 (Limestone Networks [Texas, USA])
http://www.mywot.com/en/scorecard/72.167.161.72 (GoDaddy [Arizona, USA])
http://www.mywot.com/en/scorecard/174.133.104.210 (The Planet [Texas, USA])
http://www.mywot.com/en/scorecard/218.61.7.9 (China Unicom)
http://www.mywot.com/en/scorecard/221.12.89.137 (China Unicom)
http://www.mywot.com/en/scorecard/221.230.2.208 (Chinanet)
http://www.mywot.com/en/scorecard/222.138.109.99 (China Unicom)
Posts
No comments:
Post a Comment
Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)