Tag Archives: PLANILHA-DOCUMENTO.scr

Malware: Nova cotacao…

Honeypot reported a suspicious email:

Return-Path: <apache@94.229.165.236.srvlist.ukfast.net>
Received: from 94.229.165.236.srvlist.ukfast.net (94.229.165.236.srvlist.ukfast.net [94.229.165.236])
Received: from 94.229.165.236.srvlist.ukfast.net (unknown [127.0.0.1]) by 94.229.165.236.srvlist.ukfast.net
Received: by 94.229.165.236.srvlist.ukfast.net (Postfix, from userid 48)
Subject: Nova cotacao...
Date: Tue, 26 Apr 2011 07:14:29 +0100 (BST)

This is the malicious URL contained in the message:

gwayprototype. com/support/img/thumb2.php?#documento_relatorio
HTTP/1.1 302 Object Moved
Location: http://www.abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr
Server: Microsoft-IIS/4.0
Content-Type: text/html
Connection: close
Content-Length: 174

It redirects to download the infected file:

abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr

Report 2011-04-25 23:05:38 (GMT 1)
File Name planilha-documento-scr
File Size 157184 bytes
File Type Executable File (EXE)
MD5 Hash 3e66cfb35fee0edeb86da90b0ef780d2
SHA1 Hash 18fdccc4927ad848e74ac742270a1673bf74c7bc
Detections: 5 / 10 (50 %)
Status INFECTED

AVG 25/04/2011 10.0.0.1190 Downloader.Rozena
Comodo 25/04/2011 4.0 TrojWare.Win32.Troja..
Emsisoft 25/04/2011 5.1.0.2 Trojan-PWS.Win32.QQR..
F-Prot 25/04/2011 6.3.3.4884 W32/SuspPack.R.gen!E..
Ikarus 25/04/2011 T31001097 Trojan-PWS.Win32.QQR..

Image of file:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/abeonas.net
http://www.urlvoid.com/scan/gwayprototype.com