Malware: United Parcel Service notification #46034
Suspicious email spreading malware:
Return-Path: <info52943@ups.com> Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru) From: "United Parcel Service" <info52943@ups.com> Subject: United Parcel Service notification #46034 |
Message:
May 2011United Parcel Servicetracking number #18203 Good morningParcel notificationThe parcel was sent your home adress.And it will arrive within 3 buisness days. More information and the parcel tracking number are attached in document below.Thank you United Parcel Service of America (c)153 James Street, Suite100, Long Beach CA, 90000 |
Attached there is a file with ZIP extension:
Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTEDAVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
The extracted file is an executable file:
Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTEDAvira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
Report created by NoVirusThanks Automated Sandbox:
Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80 Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - - Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80 Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80 Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - - File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - - Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80 Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80 File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80 Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80 |
URLVoid domain analysis:
http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org
IPVoid ipaddress analysis:
http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34
