Anyone else get this malware email?

[theymos]

I received this file via email. I suspect it is malware -- possibly a wallet-stealer. Did anyone else get this?

http://www5.zippyshare.com/v/12732912/file.html (Warning: probable malware)

Invitation to ecurrency conference.

http:// asiaelektronik.com/docs/processdl.html

Please let us know if you interested.

Thanks & Regards

The ecurrency part makes me think it's targeted to Bitcoin users.

[1713892173]

1713892173

[1713892173]

1713892173

[1713892173]

1713892173

[ribuck]

I got it too. I deleted it without clicking, so I don't know where the link goes.

[rjk]

File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

[ZodiacDragon84]

File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?

[rjk]

File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?

LOL well you are welcome to risk your wallet to find out. Don't say you weren't warned.

[ZodiacDragon84]

Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.

[rjk]

Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.

Run it in a VM with Sandboxie, with logging enabled. The Sandboxie logs will tell you all the files and registry objects that the programs touches, whether in a read or a write operation.

[ZodiacDragon84]

Give me a bit, and I will have a log ready as soon as I run it. Call it my White hat deed of the day...lol

Cant figure out how to make a log at moment, but none of my scans are showing really anything malicious.

multi scanner results

http://metascan.org/result.php?scan=MzkxODYx

[ZodiacDragon84]

imunitet and Panda did find this:

http://virusremoval.info/Remove/Trojan/TrojanHorse/Trojan.aspx?name=Trojan.Generic.KDV.102762

[theymos]

It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.

[Foxpup]

It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.

It's a Win32 executable, not an Office file. The vulnerable software it targets is Windows.

[ZodiacDragon84]

It is hiding a trojan. Out of the 32 scans I ran, it only popped up in 2 of them. All the appropriate information is posted in my previous posts links.

[rjk]

A form grabber. Interesting.

[Graet]

http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too

[rjk]

http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too

Cool site! Analysis of this particular sample: http://anubis.iseclab.org/?action=result&task_id=10628d7019a46f47405a49a63bcc93a25

It appears to be a trojan that does keylogging, and installs a reverse shell or VNC-type program. It does 2 DNS lookups and a few http connections, all shown in the report.

Here is the beginning of the text report, not all of it will fit due to forum limits on the amount of text in one post:

Code:

                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Invitation of Ecurrency Conference.xls.scr.xls
                   MD5: 9c1f40c32a7f32c7e59396986098afef
[#############################################################################]

Summary: 
    - Write to foreign memory areas: 
        This executable tampers with the execution of another process.

    - Packed Binary: 
        This executable is protected with a packer in order to prevent it 
        from being reverse engineered.

    - Execution did not terminate correctly: 
        The executable crashed.

    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Performs File Modification and Destruction:
        The executable modifies and destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.                        

[ZodiacDragon84]

Thank you for adding! I always love new tools in my arsenal