If you or your relatives wander onto a site claiming to be a genuine Kodak website, you might want to think twice before downloading any executables.
Here’s an example of a site located at kodak-webgallery(dot)com, which is currently offline:
Click to Enlarge
The message at the top reads: “New shared photos! You have received some new pictures, to view them simply click the button below”. Hitting the button launches a “Slideshow”, which is actually an executable file that the end-user is asked to download and run.
Doing so opens up a set of photographs taken of a rather large truck from different angles:
Click to Enlarge
After executing the file, the folder \WINDOWS\system32821772 was created containing various configuration files. Additionally, sijgzxel.exe and fvwtmkry.exe were copied to the System32 Folder itself.
The final piece of the puzzle are references to an email address, EBay, EBay motors and various other EBay domains (along with the non-Ebay Escrow.com) in the process dumps we generated while testing.
It looks like a blast from the past called Trojan.Bayrob has risen from the grave to cause problems for big moneyspenders on eBay. It seems to come around every so often – here’s an attack from 2007 and here’s one from 2008 – and now someone has decided to spam it out from a fake Kodak domain registered via a privacy service.
Bayrob is a nasty little thing, spoofing pages from eBay and other sites to fool the end-user into handing over bundles of cash. Motor buyers are a popular target, hence the reason why many of these attacks tend to involve car photo slideshows. The Trojan can have a devastating impact – here’s a victim who was fleeced out of $ 8,600 by scammers.
To coin a phrase: whoops.
We detect this one as Win32.Malware!Drop. Detection rates are very low, currently clocking in at 5/43 so be careful out there and don’t be fooled by random photograph galleries. There’s no way to tell if these fake Kodak sites are currently being pimped by automated spam programs, random chatroom links, infected PCs or strange flashing lights in the sky so always check with a known contact if they suddenly want you to check out their new car pictures.
It might cost you a bit more than a tyre change and a new air freshener…
Christopher Boyd
– on Sunbelt Blog
Related Posts
- Fake video Trojan makes the rounds
Our HoneyPot caught this Trojan video-shares.in/flash_player.exe. Doing a search on the URL you will notice that there are many infected users already that are retweeting the malicious link: And not j... - Fake Input Method Editor(IME) Trojan
Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME) to inject a system. An IME is an operating ... - How to Remove Fake Antivirus 2009 Also Virus, Malware and Trojan Removal by Britec
How to Remove Fake Antivirus 2009 Also Virus, Malware and Trojan Removal by britec.co.uk Some basic steps on how to remove Fake Antivirus 2009 with Malwarebytes, Supera... - Fake Trojan Virus Malware – SOLUTION – Win32.Zafi.B – ocboo1892823
Many fake trojans (Malware) are floating around right now. I was alerted via "windows pop-up" that I was infected by Win32.Zafi.B When in reality I was not. It was Malw... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - The Royal Wedding and The Fake Antivirus
The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on vari... - Fake AV for mobile platform
We have seen countless number of rogue security products for Windows platform however this one is targeted to trick mobile users.The sample masquerades itself as a certain AV for mobile and ... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - The SMSer Trojan returns as fake browser
We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels o... - Fake AV? We are not amused
The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking fo...
Posted on 30 November 2010. Tags: Bayrob, Fake, Galleries, Kodak, Serve, Trojan
