Dienstag, 4. August 2009, 12:17 UTC+2

Sie sind nicht angemeldet.

  • Anmelden
  • Registrieren

Achtung Trojaner aus greetingcard.org nun auch in anderen mails ...

chimaera

gehasst verdammt vergöttert

Registrierungsdatum: 2. Mai 2007

Beiträge: 1 170

Danksagungen: 228

Wohnort: aus der welt der myhten und sagen

Level: 36 [?]

Erfahrungspunkte: 964.815

Nächstes Level: 1.000.000

1

Sonntag, 12. Juli 2009, 13:16

Achtung Trojaner aus greetingcard.org nun auch in anderen mails ...

hmm...

bin gerade mal über das gestolpert ...
die "greetingcard" mails haben sich nun in "you have a message" mails geändert.

Zitat


A new wave of e-card malspam is going out. The e-mail arrives spoofed as 123greetings.com and installs XP Antivirus 2009 once on the computer.

E-mail Body:

Good day.

You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxxp://ospetroglifos.com/e-card.exe

Your card will be available for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!

File Details:

File Name: e-card.exe

MD5: 51c2c1e82bc8c89dd831494689341147

SHA-1: 4e8e072659d6762dd41fc66b4f8c606e46d4b013

File Size: 44544 Bytes

Registry Values Modified:

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Key name: braviax

Value: C:\WINDOWS\system32\braviax.exe

Location: HKLM\System\CurrentControlSet\Control\Session Manager

Key name: Pending FileRenameOperations

Value: 0×5c003f003f005c0043003a005c00570049004e0044004f00570053005c00

File Modifications:

Creates:

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\dllcache\beep.sys

C:\WINDOWS\system32\dllcache\figaro.sys

C:\WINDOWS\system32\drivers\beep.sys (26k) <– this file prevents most anti-malware products from working correctly.

C:\exec\delself.bat

ariw.pif
beep.sys
brastk.exe
braviax.exe
dodyjuku.pif
dysigajy._sy
e-card.exe
hynury.vbs
karna.dat
osyji.exe
unofa.sys
wini10581.exe
xyqa.vbs

Modifies:

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\dllcache\beep.sys

C:\WINDOWS\system32\dllcache\figaro.sys

C:\WINDOWS\system32\drivers\beep.sys

C:\exec\delself.bat

PIPE\SfcApi

Connects to:
hxxp://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1

1 200 HTTP www.xp-antispyware2009.com/binary/Binaries1.cab
2 200 HTTP www.xp-antispyware2009.com/binary/Binaries2.cab
3 200 HTTP www.xp-antispyware2009.com/binary/Binaries3.cab
4 200 HTTP do-monster-scan.com/update_inst.php?wmid=1058&subid={ID}&pid=33&lid=2&hs={ID}

Downloads to:

%System%\wini10581.exe (8A5B2A376AFD54E9B04599A4BC43AA07)

Ähnliche Themen