MX Lab started to intercept a new campaign with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).
It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.
This distribution is sent from the spoofed email address iTunes Products <customer.service@itunes.com>.
The body of the email:
Hello!
You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.
iTunes Store.
The email contains the file ZIP archive Gift_Certificate_531.zip containing the 36 kB large executable Gift_Certificate_531.exe.
The following files are created:
%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\4.tmp
%Temp%\_check32.bat
%Windir%\Moxmact1.dll
%Windir%\s32.txt
%System%\aspimgr.exe
%Windir%\ws386.ini
A new process will be created on the system:
%System%\aspimgr.exe
The following modules will be loaded into the address space of other process(es):
%Windir%\Moxmact1.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E80000 – 0x1E91000
%Windir%\Moxmact1.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000
New registry key creations:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum
The following registry keys are modified:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Shell =
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
- (Default) =
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
- (Default) =
The trojan can establish a remote connection with the following hosts on port 80:
128.175.82.88
195.78.108.203
89.149.202.142
95.211.27.238
Data will be requested fromt he following web sites:
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&b=26may&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&tid=11&b=26may&r=1&tm=2
* hxxp://porsche911start.ru:80/board.php
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/_source/classes/v106.exe
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/_source/classes/sistempod.exe
At the time of writing, 16 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 75809a70e8773d51c5b20dd0f7b8163e.
View full post on mxlab – all about anti virus and anti spam
