New spam containing malware payload (Dec 16)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 17, 2011.

  1. Virus Guy

    Virus Guy Guest

    I'm still getting several "ACH" spams per day with links pointing to
    that same black-hole multi-exploit package that I posted earlier.

    But today I got a single example of a different (new) spam, along with
    the malware payload as an attachment.

    The attachment can be downloaded from here:

    http://www.fileden.com/files/2008/7/19/2010382/TICKET1.ZIP

    Password is "a" (no quotes). It unzips to ticket.piz. Rename to
    ticket.zip and then unzip.

    Ticket.zip contains the file ticket.exe (with adobe acrobat icon) and a
    hidden folder named "system". Inside system there are 17 files with
    names such as "document-n.txt" and "system-n".txt, where n is a number
    from 1 to 11. These are all zero-byte files. Ticket.exe is 47kb in
    size.

    As of 1:50 pm EST friday, Virus Total is identifying ticket.exe as
    containing:

    - Trojan.Smoaler
    - Mal/Bredo-T
    - a variant of Win32/Kryptik.XLM
    - TrojanDownloader:Win32/Dofoil.O
    - W32/Ramnit.f
    - Gen:Variant.Kazy.48717
    - Trojan.Tenagour.9
    - TR/Crypt.ZPACK.Gen2

    VT detection rate is 16/43.

    The spam in question is as follows:

    =============
    Return-Path: <2.superb.net>
    Received: from mail-out1.superb.net ([66.36.226.25]
    Date: 16 Dec 2011 12:56:52 -0000
    Subject: Your Order#89081 has been completed
    From: "American Airlines" <>

    Dear Customer,

    FLIGHT NUMBER AA781
    ELECTRONIC 657022050
    DATE & TIME / DECEMBER 23, 2011, 11:53 PM
    ARRIVING / Columbus
    TOTAL PRICE / 283.17 USD

    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should print it.

    Thank you
    American Airlines.

    Ticket.zip Content-Type: application/octet-stream;name="Ticket.zip"
    =============================
     
    Virus Guy, Dec 17, 2011
    #1
    1. Advertisements

  2. ....and is itself UPX packed.

    http://i41.tinypic.com/2remcf8.jpg

    Many more zero-length files, some data files and a binary.

    Looks like it gathers info, do you have Sandboxie?
     
    FromTheRafters, Dec 17, 2011
    #2
    1. Advertisements

  3. It downloaded something to my sandbox. I got detections for Alureon and
    a fake windef. It sure pulled a lot of stuff into the box.
     
    FromTheRafters, Dec 17, 2011
    #3
  4. Interesting...
     
    David H. Lipman, Dec 17, 2011
    #4
  5. I ran it through COMODO
    http://camas.comodo.com/cgi-bin/submit?file=d8a82c9cb2aea83067d7997fd6ea2f5b4b366edef0d128d4f920ba9b3e05417f

    refunadositol15.ru/mike/index.php?cmd=getproxy
    refunadositol15.ru/mike/index.php?cmd=getgrab

    They look like their encrypted files.
     
    David H. Lipman, Dec 17, 2011
    #5
  6. Craps out in ANUBIS

    https://anubis.iseclab.org/?action=result&task_id=1b47ff0c6b505cfa489860b7ca3209e16&format=html
     
    David H. Lipman, Dec 17, 2011
    #6
  7. The U. Mannheim SandBox shows it drops
    https://mwanalysis.org/?site=1&page=details&id=284368&password=vsuoanbdpg

    %appdata%\csrss.exe

    Loaded via
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
     
    David H. Lipman, Dec 17, 2011
    #7
  8. Finally, ThreatExpert
    http://www.threatexpert.com/report.aspx?md5=5f4b2278f8368418786bf8c44f4f5dff
     
    David H. Lipman, Dec 17, 2011
    #8
  9. I got numerous (more than twenty) error messages about disk failure
    which all went away when I forced the closure of Sandboxie - but did
    still have those downloaded files and everything that Sandboxie "got"
    from the actual filesystem and registry when subsequently exploring the
    sandbox. Avira also named Kazy as one of the programs.

    Actually five programs were downloaded, but two appear to be duplicates
    judging only by file size.
     
    FromTheRafters, Dec 17, 2011
    #9
  10. Ticket.exe is detected by my Avira AV as TR/Crypt.ZPACK.Gen2

    After Sandboxie coughed and sputtered I found files detected as:
    TR/Alureon.FL.42 (B2F.tmp and B2E.tmp 348KB)
    TR/Kazy.44476.2 (B27.tmp 1792KB)
    TR/FakeSysdef.471040 (pHjGL1WrMBrZga.exe.tmp 457KB)
    .... plus two more same-size w/random looking names
    ending in exe.tmp

    I had them as .exe too, but failed to capture those.

    Now, all I get is a zero length "Ticket.exe" file and interference from
    my *real* Windows Defender detecting TrojanDownloader:Win32/Dofoil.gen!c

    It might have just worked again, I'll check.
     
    FromTheRafters, Dec 17, 2011
    #10
  11. Virus Guy

    Dustin Guest

    There are some addon dlls for dealing with pesky malware in sandboxie. :)
     
    Dustin, Dec 17, 2011
    #11
  12. Thanks Dustin, I'll have to check that out.
     
    FromTheRafters, Dec 17, 2011
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.