Bitcoin Forum

Other => Off-topic => Topic started by: theymos on May 24, 2012, 07:24:27 PM


Title: Anyone else get this malware email?
Post by: theymos on May 24, 2012, 07:24:27 PM
I received this file via email. I suspect it is malware -- possibly a wallet-stealer. Did anyone else get this?

http://www5.zippyshare.com/v/12732912/file.html (Warning: probable malware)

Quote from: Email
Invitation to ecurrency conference.

http:// asiaelektronik.com/docs/processdl.html

Please let us know if you interested.

Thanks & Regards

The ecurrency part makes me think it's targeted to Bitcoin users.

Title: Re: Anyone else get this malware email?
Post by: ribuck on May 24, 2012, 07:29:54 PM
I got it too. I deleted it without clicking, so I don't know where the link goes.

Title: Re: Anyone else get this malware email?
Post by: rjk on May 24, 2012, 08:05:50 PM
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 25, 2012, 02:48:42 AM
Quote from: rjk on May 24, 2012, 08:05:50 PM
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?

Title: Re: Anyone else get this malware email?
Post by: rjk on May 25, 2012, 03:32:05 AM
Quote from: ZodiacDragon84 on May 25, 2012, 02:48:42 AM
Quote from: rjk on May 24, 2012, 08:05:50 PM
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?

LOL well you are welcome to risk your wallet to find out. ;D Don't say you weren't warned. :-*

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 25, 2012, 03:36:43 AM
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.

Title: Re: Anyone else get this malware email?
Post by: rjk on May 25, 2012, 03:54:22 AM
Quote from: ZodiacDragon84 on May 25, 2012, 03:36:43 AM
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.
Run it in a VM with Sandboxie, with logging enabled. The Sandboxie logs will tell you all the files and registry objects that the programs touches, whether in a read or a write operation.

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 25, 2012, 04:10:14 AM
Give me a bit, and I will have a log ready as soon as I run it. Call it my White hat deed of the day...lol

Cant figure out how to make a log at moment, but none of my scans are showing really anything malicious.

multi scanner results

http://metascan.org/result.php?scan=MzkxODYx

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 25, 2012, 04:38:51 AM
imunitet and Panda did find this:

http://virusremoval.info/Remove/Trojan/TrojanHorse/Trojan.aspx?name=Trojan.Generic.KDV.102762

Title: Re: Anyone else get this malware email?
Post by: theymos on May 25, 2012, 05:53:31 AM
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.

Title: Re: Anyone else get this malware email?
Post by: Foxpup on May 25, 2012, 06:09:45 AM
Quote from: theymos on May 25, 2012, 05:53:31 AM
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.

It's a Win32 executable, not an Office file. The vulnerable software it targets is Windows. ;)

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 25, 2012, 06:13:18 AM
It is hiding a trojan. Out of the 32 scans I ran, it only popped up in 2 of them. All the appropriate information is posted in my previous posts links.

Title: Re: Anyone else get this malware email?
Post by: rjk on May 25, 2012, 12:50:20 PM
A form grabber. Interesting.

Title: Re: Anyone else get this malware email?
Post by: Graet on May 27, 2012, 03:24:34 AM
http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too :)

Title: Re: Anyone else get this malware email?
Post by: rjk on May 27, 2012, 03:45:19 AM
Quote from: Graet on May 27, 2012, 03:24:34 AM
http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too :)
Cool site! Analysis of this particular sample: http://anubis.iseclab.org/?action=result&task_id=10628d7019a46f47405a49a63bcc93a25

It appears to be a trojan that does keylogging, and installs a reverse shell or VNC-type program. It does 2 DNS lookups and a few http connections, all shown in the report.

Here is the beginning of the text report, not all of it will fit due to forum limits on the amount of text in one post:
Code:
                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Invitation of Ecurrency Conference.xls.scr.xls
                   MD5: 9c1f40c32a7f32c7e59396986098afef
[#############################################################################]

Summary: 
    - Write to foreign memory areas: 
        This executable tampers with the execution of another process.

    - Packed Binary: 
        This executable is protected with a packer in order to prevent it 
        from being reverse engineered.

    - Execution did not terminate correctly: 
        The executable crashed.

    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Performs File Modification and Destruction:
        The executable modifies and destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.                       

Title: Re: Anyone else get this malware email?
Post by: ZodiacDragon84 on May 27, 2012, 08:40:43 PM
Thank you for adding! I always love new tools in my arsenal


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines