A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: “Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards.“
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe – TrojanDownloader:Win32/Chepvil.J – Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe – 208.43.90.48 – Email: admin@firtryt.biz

Detection rate:
pusk.exe – FakeAlert-CN.gen.aa – Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com – 78.46.105.205
bemolaqijicy.com – 99.198.114.206 – Email: vista@free-id.ru
celisesuho.com – 99.198.114.202 – Email: hush@bz3.ru
cixovatywo.com – 78.46.105.205 – Email: frenzy@ca4.ru
fytypoqywu.com – 64.46.38.94 – Email: fy4371215910301@domainidshield.com
gicyxepomer.com – 78.46.105.205 – Email: tabs@yourisp.ru
gopilezavyxiro.com – 78.46.105.205 – Email: hush@bz3.ru
hivanedak.com – 188.95.54.242 – Email: steps@ppmail.ru
hotilosire.com – 208.110.67.122 – Email: lathe@maillife.ru
jerakidukojoz.com – 78.46.105.205 – Email: wrap@cheapbox.ru
kupeqobujohaq.com – 64.46.38.145 – Email: soup@fastermail.ru
kytevaviqopoci.com – 78.46.105.205 – Email: fs@free-id.ru
pikilokykizanu.com – 65.254.54.77 – Email: dawn@free-id.ru
punajytapaci.com – 209.97.213.105 – Email: mire@maillife.ru
qisacugugu.com – 64.46.38.129 – Email: as@free-id.ru
qupajubica.com – 78.46.105.205 – Email: heard@bz3.ru
reruravobosila.com – 67.196.13.96 – Email: mon@ppmail.ru
rorodarof.com – 99.198.114.204 – Email: hush@bz3.ru
ruqydahec.com – 67.196.13.97 – Email: mon@ppmail.ru
sakafiduzipame.com – 78.46.105.205 – Email: build@ca4.ru
sykobodyducib.com – 208.110.67.102 – Email: lathe@maillife.ru
tetagyjaj.com – 78.46.105.205 – Email: kilt@bz3.ru
tibehewuk.com – 209.97.213.102 – Email: mon@ppmail.ru
tisatosyhimidy.com – 188.95.54.243 – Email: jan@free-id.ru
tyhiqymiwufuj.com – 208.110.67.121 – Email: dawn@free-id.ru
vakyditefo.com – 99.198.114.203 – Email: vista@free-id.ru
wamojafadezy.com – 78.46.105.205 – Email: acts@free-id.ru
wetotyger.com – 78.46.105.205 – Email: acts@free-id.ru
wixecyhobovy.com – 64.46.38.130 – Email: soup@fastermail.ru
wolycunanoqe.com – 72.9.233.98 – Email: lathe@maillife.ru
zajatimibuj.com – 208.110.67.119 – Email: bark@cheapbox.ru
zequcitamado.com – 99.198.114.205 – Email: vista@free-id.ru
punajytapaci.com/1017000412 – 209.97.213.105 – Email: mire@maillife.ru
tibehewuk.com/1017000412 – 209.97.213.102 – Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

• An open letter to Facebook about safety and privacy
  Dear Facebook, As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook. Every day, victims report to us numerous incidents of crim...
• Remove Antivirus Center (Uninstall Guide)
  Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that preten...
• Be Careful If Searching For Images of Kate Middleton’s Dress
  Real-world events occasionally generate a massive number of online searches. Japan's recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the worl...
• Malicious E-Cards on the prowl
  Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.&n...
• Cyber Crooks All Set to Crash the British Royal Wedding
  As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software throu...
• PlayStation Network hacked: Personal data of up to 70 million people stolen
  Users of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players. The implications of the hack, which r...
• I LOVE YOU – Virus-inspired movie trailer and world premiere
  The Love Bug. I LOVE YOU. LoveLetter. All different names for one of the world's most famous viruses, which spread around the globe in May 2000, infecting millions of computers and clogging up email s...
• DLL-Based FAKEAV Returns In The Wild
  In our previous FAKEAV whitepaper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and classified its development, behavior-wise, according to generations. One of the ear...
• Anger after scam-exposing community shut down by Facebook
  In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook. The Bulldog Estate...
• How to remove Antivirus Protection and Antivirus Protection Trial (Uninstall Guide)
  Antivirus Protection is a rogue anti-spyware program from the same family as Antivirus Soft and AV Security Suite. This family of rogues is installed through the use of malware and exploit kits that d...