New spam containing malware payload (Dec 16)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 17, 2011.

  1. Virus Guy

    Virus Guy Guest

    I'm still getting several "ACH" spams per day with links pointing to
    that same black-hole multi-exploit package that I posted earlier.

    But today I got a single example of a different (new) spam, along with
    the malware payload as an attachment.

    The attachment can be downloaded from here:

    Password is "a" (no quotes). It unzips to ticket.piz. Rename to and then unzip. contains the file ticket.exe (with adobe acrobat icon) and a
    hidden folder named "system". Inside system there are 17 files with
    names such as "document-n.txt" and "system-n".txt, where n is a number
    from 1 to 11. These are all zero-byte files. Ticket.exe is 47kb in

    As of 1:50 pm EST friday, Virus Total is identifying ticket.exe as

    - Trojan.Smoaler
    - Mal/Bredo-T
    - a variant of Win32/Kryptik.XLM
    - TrojanDownloader:Win32/Dofoil.O
    - W32/Ramnit.f
    - Gen:Variant.Kazy.48717
    - Trojan.Tenagour.9
    - TR/Crypt.ZPACK.Gen2

    VT detection rate is 16/43.

    The spam in question is as follows:

    Return-Path: <>
    Received: from ([]
    Date: 16 Dec 2011 12:56:52 -0000
    Subject: Your Order#89081 has been completed
    From: "American Airlines" <>

    Dear Customer,

    ELECTRONIC 657022050
    DATE & TIME / DECEMBER 23, 2011, 11:53 PM
    ARRIVING / Columbus
    TOTAL PRICE / 283.17 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you
    American Airlines. Content-Type: application/octet-stream;name=""
    Virus Guy, Dec 17, 2011
    1. Advertisements

  2. ....and is itself UPX packed.

    Many more zero-length files, some data files and a binary.

    Looks like it gathers info, do you have Sandboxie?
    FromTheRafters, Dec 17, 2011
    1. Advertisements

  3. It downloaded something to my sandbox. I got detections for Alureon and
    a fake windef. It sure pulled a lot of stuff into the box.
    FromTheRafters, Dec 17, 2011
  4. Interesting...
    David H. Lipman, Dec 17, 2011
  5. I ran it through COMODO

    They look like their encrypted files.
    David H. Lipman, Dec 17, 2011
  6. Craps out in ANUBIS
    David H. Lipman, Dec 17, 2011
  7. The U. Mannheim SandBox shows it drops


    Loaded via
    David H. Lipman, Dec 17, 2011
  8. Finally, ThreatExpert
    David H. Lipman, Dec 17, 2011
  9. I got numerous (more than twenty) error messages about disk failure
    which all went away when I forced the closure of Sandboxie - but did
    still have those downloaded files and everything that Sandboxie "got"
    from the actual filesystem and registry when subsequently exploring the
    sandbox. Avira also named Kazy as one of the programs.

    Actually five programs were downloaded, but two appear to be duplicates
    judging only by file size.
    FromTheRafters, Dec 17, 2011
  10. Ticket.exe is detected by my Avira AV as TR/Crypt.ZPACK.Gen2

    After Sandboxie coughed and sputtered I found files detected as:
    TR/Alureon.FL.42 (B2F.tmp and B2E.tmp 348KB)
    TR/Kazy.44476.2 (B27.tmp 1792KB)
    TR/FakeSysdef.471040 (pHjGL1WrMBrZga.exe.tmp 457KB)
    .... plus two more same-size w/random looking names
    ending in exe.tmp

    I had them as .exe too, but failed to capture those.

    Now, all I get is a zero length "Ticket.exe" file and interference from
    my *real* Windows Defender detecting TrojanDownloader:Win32/Dofoil.gen!c

    It might have just worked again, I'll check.
    FromTheRafters, Dec 17, 2011
  11. Virus Guy

    Dustin Guest

    There are some addon dlls for dealing with pesky malware in sandboxie. :)
    Dustin, Dec 17, 2011
  12. Thanks Dustin, I'll have to check that out.
    FromTheRafters, Dec 17, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.