Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2007-02-11
Last Updated: 2007-02-11 20:35:43 UTC
by donald smith (Version: 4)
0 comment(s)
Megel, A Internet Storm Center contributor, alerted us to a new German spam with a file that claims to be a PDF but is really a downloader. He started seeing this file arrive via email friday AM.
The message is basically an “thank you for your order read the pdf enclosed for details” type message. Not very original or new but it must work or the hackers would quit using this approach.

Original text from one sample messege:

Guten Tag,
Vielen Dank fur Ihre Bestellung!
Die von Ihnen bestellten Waren sind vollstandig am Lager und werden umgehend
durch die Logistikabteilung an Sie versandt.
Im Anhang finden Sie Ihr(en) Angebot/Auftrag im PDF-Format mit Beleg Nr.
Offnen Sie angefugte PDF-Dateien mit Acrobat Reader. Diesen konnen Sie unter kostenlos herunterladen.
Um eine schnellstmogliche Bearbeitung Ihre Ruckfragen gewahrleisten zu
bitten wir Sie bei Ruckfragen immer Ihre Kundennummer 77316 und
Belegnummer [3816712] anzugeben.

Vielen Dank
Mit freundlichem Grub
Eberhard Schmidt
TMS Logistik GmbH

Call Center:
tel (0180) 31 57 16 21 - 0,09 EUR/min aus dem dt. Festnetz/T-Com
fax (030) 90 16 - 29 19

Niederlassung Berlin
Albrechstrasse 117
D-01271 Berlin
Auf den Punkt gebracht - Ihre Vorteile als TMS Logistik Kunde

o 14 Tage Ruckgaberecht fur originalverpackte Neuware
o Beratung durch unsere Fachverkaufer
o Transparente Preisgestaltung und Verfugbarkeitsanzeige
o Rundumschutz durch optionales Servicepaket
o Kostenfreie Parkplatze
o Bequeme Zusendung durch uns oder DHL moglich
o Kostenfreier 80-seitiger Gesamtkatalog - auch per Post nach Hause
TMS Logistik - seit 12 Jahren erfolgreich in Berlin

Results from virustotal show its detected by some AV but mostly generically as some type of downloader.

Antivirus Version Update Result
AntiVir 02.09.2007 TR/Dldr.iBill.L
Authentium 4.93.8 02.09.2007 W32/Downloader.BBAV
Avast 4.7.936.0 02.11.2007 no virus found
AVG 386 02.10.2007 Generic3.SE
BitDefender 7.2 02.11.2007 no virus found
CAT-QuickHeal 9.00 02.09.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.11.2007 Trojan.Downloader-1405
DrWeb 4.33 02.11.2007 Trojan.DownLoader.18372
eSafe 02.09.2007 no virus found
eTrust-Vet 30.4.3384 02.10.2007 no virus found
Ewido 4.0 02.11.2007 no virus found
Fortinet 02.11.2007 DwnLdr.GAI!tr
F-Prot 02.09.2007 W32/Downloader.BBAV
F-Secure 6.70.13030.0 02.10.2007 Trojan-Downloader.Win32.Nurech.aj
Ikarus T3.1.0.31 02.11.2007 Trojan-Downloader.Win32.BBAV
Kaspersky 02.11.2007 Trojan-Downloader.Win32.Nurech.aj
McAfee 4960 02.09.2007 New Win32
Microsoft 1.2204 02.11.2007 no virus found
NOD32v2 2052 02.11.2007 no virus found
Norman 5.80.02 02.09.2007 no virus found
Panda 02.11.2007 Suspicious file
Prevx1 V2 02.11.2007 no virus found
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 VIPRE.Suspicious
Symantec 10 02.11.2007 no virus found
TheHacker 02.11.2007 Trojan/Downloader.Nurech.aj
UNA 1.83 02.09.2007 no virus found
VBA32 3.11.2 02.10.2007 no virus found
VirusBuster 4.3.19:9 02.10.2007 no virus found

Aditional Information
File size: 8522 bytes
MD5: 5da184f16450d90b4c4fbec26d559130
SHA1: 16e5b73c82baad5a765123133ef87707e311d8da
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics

This downloader grabs k91.exe from the site. Wwwdotsapervertydotbz
DanielW noticed that this one may have detection for vmware. “It silently terminated”  when he tested it.

Antivirus Version Update Result
AntiVir 02.09.2007 HEUR/Malware
Authentium 4.93.8 02.09.2007 W32/Trojan.XUM
Avast 4.7.936.0 02.11.2007 Win32:Agent-ENV
AVG 386 02.10.2007 Generic3.AC
BitDefender 7.2 02.11.2007 Trojan.Spy.Goldun.HO
CAT-QuickHeal 9.00 02.09.2007 no virus found
ClamAV devel-20060426 02.11.2007 Trojan.Spy-734
DrWeb 4.33 02.11.2007 no virus found
eSafe 02.09.2007 no virus found
eTrust-Vet 30.4.3384 02.10.2007 Win32/Brospy.ED
Ewido 4.0 02.11.2007 Trojan.Agent.aeq
Fortinet 02.11.2007 no virus found
F-Prot 02.09.2007 W32/Trojan.XUM
F-Secure 6.70.13030.0 02.10.2007 Trojan.Win32.Agent.aeq
IkarusT 02.11.2007 Trojan-Spy.Win32.Goldun.lw
Kaspersky 02.11.2007 Trojan.Win32.Agent.aeq
McAfee 4960 02.09.2007 no virus found
Microsoft 1.2204 02.11.2007 no virus found
NOD 32v22053 02.11.2007 Win32/Spy.BZub.NCU
Norman 5.80.02 02.09.2007 W32/Malware.JRO
Panda 02.11.2007 no virus found
Prevx 1V2 02.11.2007 no virus found
Sophos 4.13.0 02.08.2007 Troj/Deldo Gen
Sunbelt 2.2.907.0 02.09.2007 no virus found
Symantec 10 02.11.2007 no virus found
TheHacker 02.11.2007 no virus found
UNA 1.83 02.09.2007 no virus found
VBA 323.11.2 02.10.2007 Trojan.Win32.Spy.BZub.NCU
VirusBuster 4.3.19:9 02.10.2007 no virus found
0 comment(s)

Decoding Diyer?s Ascii bypass:

Published: 2007-02-11
Last Updated: 2007-02-11 14:45:04 UTC
by donald smith (Version: 1)
0 comment(s)
A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?

Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”

I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
0 comment(s)
Diary Archives