MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a follow up of the the LinkedIn Messages, 9/30/2010 campaign that we reported yesterday. The malware is not changed in any way.
The email is send from the spoofed address “LinkedIn <linkedin@em.linkedin.com>”, email headers are forged and the message has the following body with complete LinkedIn branding:
The message is very similar to the LinkedIn Alert email threat we have seen a few days ago but has now some other approach to distribute the malware after clicking a link in the message.
All the URL redirect the visitor to a web site and then redirects them immediatly to hxxp://hatcher.com.au/1.html. When the webpage is loaded you will get an image to see to install the Adobe Flash Player. The file flash_player_07.78.exe is offered to be downloaded.
The trojan is known as Trojan-Spy.Win32.Zbot.aptt (Kaspersky), Win32/Spy.Zbot.ZR (NOD32), Trojan.Zbot (PCTools), Trojan.Generic.KD.44402 (F-Secure).
The following files will be created:
%AppData%\Yguze\ubce.exe
%AppData%\Ywimuq\ipafe.tiy
%AppData%\Ywimuq\ipafe.tmp
%Temp%\tmp0e1f500d.bat
The following directories are created:
%AppData%\Yguze
%AppData%\Ywimuq
A new process is created:
ubce.exe
Several Windows registry changes will be exectued and the trojan will establish a connection with the host ohmaebahsh.ru on port 80 and perform a GET request for bin/koethood.bin.
Virus Total permlink and MD5: b77b6eac5d9e9d088b400652405c4b19.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- Emails with subject “LinkedIn Messages, 9/30/2010″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “LinkedIn Messages, 9/30/2010″.
The email is send from the spoofed address &#... - Email messages with subject “LinkedIn Alert” lead to malware. Belgian political party Vlaams Belang is hosting a malicious file.
MX Lab, http://www.mxlab.eu, is intercepting an certain amount of emails with the subject “LinkedIn Alert” that leads to a website with malicious software and redirects surfers to a online... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - Facebook notification emails spreads malware
People have started getting the following email claiming that “Facebook Copyrights Department” has detected unusual Copyrights activity linked to your Facebook account , please follow the link bellow ... - Phony Facebook Photos lead to malware
This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook applic... - Hot Topics Lead To Malware
Google Trends seems to be a nice reference tool for the attackers to know which hot topics currently generate the maximum of public interest - a compass that leads them to the victims.Here is another ... - Thank you from Google, and Facebook personal messages lead to malware
Take a look at a couple of email messages Sophos intercepted earlier today.
Firstly, the great guys at Google have been in touch. Their message, entitled "Thank you from Google!", says that they hav... - “Photos” via Instant Messengers, Facebook Lead to Malware
We’ve received reports about a new wave of malware spreading via Facebook, Yahoo! Messenger and Windows Live. Messages are spreading via these services that have the following text:
Foto http... - Searches for new Harry Potter movie lead to malware
People looking for the latest Harry Potter movie may get more than they bargained for. Sleazy sites are claiming they offer “Harry Potter and the Deathly Hallows” for free by streaming or ... - Dating and Malware Spam Dominates the Top Spam Subject Lines
Symantec observed that dating spam messages and spam messages distributing malware were most prevalent in the recent past. These spam messages dominated the list of top 10 spam subject lines in the pa...
Posted on 02 October 2010. Tags: “So, emails, Lead, LinkedIn, Malware, next″, subject, what’s, You’re
Contacting Godaddy.com is is a good action but quite often, they use different domains so reporting all the domains is a time consuming effort.
We have contacted hatcher.com.au as well.
What we noticed is that they – the people who set up this malware campaign – hack into a web site, according to some sources through webforms, and drop files on legitimate web sites. Nice way of working if you ask me and it has a lot of advantages.
Thats awesome. I just got that email today. Except mine was an itunes reciept stating I owned $1000. All links in the email pointed to http://nbhygkgr.info which redirected to http://hatcher.com.au/1.html which attempted to download that flash_player.exe which is actually a Trojan Generic8.PWM. I sent an anon email to hatcher.com.au saying their site was hacked (they look lagit??) A whois on nbhygkgr.info says its hosted by godaddy, I contacted their spam department as well. Clever little bastards.