Tag Archives: trojan rozena

Malware: Nova cotacao…

Honeypot reported a suspicious email:

Return-Path: <apache@>
Received: from ( [])
Received: from (unknown []) by
Received: by (Postfix, from userid 48)
Subject: Nova cotacao...
Date: Tue, 26 Apr 2011 07:14:29 +0100 (BST)

This is the malicious URL contained in the message:

gwayprototype. com/support/img/thumb2.php?#documento_relatorio
HTTP/1.1 302 Object Moved
Location: http://www.abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr
Server: Microsoft-IIS/4.0
Content-Type: text/html
Connection: close
Content-Length: 174

It redirects to download the infected file:

abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr

Report 2011-04-25 23:05:38 (GMT 1)
File Name planilha-documento-scr
File Size 157184 bytes
File Type Executable File (EXE)
MD5 Hash 3e66cfb35fee0edeb86da90b0ef780d2
SHA1 Hash 18fdccc4927ad848e74ac742270a1673bf74c7bc
Detections: 5 / 10 (50 %)

AVG 25/04/2011 Downloader.Rozena
Comodo 25/04/2011 4.0 TrojWare.Win32.Troja..
Emsisoft 25/04/2011 Trojan-PWS.Win32.QQR..
F-Prot 25/04/2011 W32/SuspPack.R.gen!E..
Ikarus 25/04/2011 T31001097 Trojan-PWS.Win32.QQR..

Image of file:


URLVoid domain analysis: