Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: German spam with malware link - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
German spam with malware link
We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment. The second looks to be a Riler variant. Thanks Sven! His email to us says;

"The attached file contains an email that has been spammed into my mailbox >100 times this evening, so it aroused my interest. if one wgets the link in it one finds fotoalbum.exe which virustotal identifies as

+++

Complete scanning result of "fotoalbum.exe", received in VirusTotal at 02.19.2007, 23:56:16 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.19.2007 HEUR/Crypted
Authentium 4.93.8 02.19.2007 W32/Downloader.gen10
Avast 4.7.936.0 02.19.2007 no virus found
AVG 386 02.19.2007 no virus found
BitDefender 7.2 02.19.2007 DeepScan:Generic.Malware.dld!!.7F0C2515
CAT-QuickHeal 9.00 02.19.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 7.0.14.0 02.19.2007 no virus found
eTrust-Vet 30.4.3412 02.19.2007 no virus found
Ewido 4.0 02.19.2007 no virus found
FileAdvisor 1 02.20.2007 no virus found
Fortinet 2.85.0.0 02.19.2007 suspicious
F-Prot 4.2.1.29 02.19.2007 W32/Downloader.gen10
F-Secure 6.70.13030.0 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
Ikarus T3.1.0.31 02.19.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
McAfee 4966 02.19.2007 no virus found
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanDownloader.Tiny.NCF
Norman 5.80.02 02.19.2007 W32/Downloader
Panda 9.0.0.4 02.19.2007 Suspicious file
Prevx1 V2 02.20.2007 no virus found
Sophos 4.14.0 02.19.2007 no virus found
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.19.2007 no virus found
TheHacker 6.1.6.060 02.19.2007 no virus found
UNA 1.83 02.19.2007 no virus found
VBA32 3.11.2 02.19.2007 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.19:9 02.19.2007 no virus found

Aditional Information
File size: 2108 bytes
MD5: 4b86679ded1718aac5f5bc4840da3e75
SHA1: f42d7eb0934388d65364d212735aae65db26cd5e

norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 2108 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSTEMPzc2.exe.
[ Network services ]

**WARNING MALWARE AT THE FOLLOWING**

* Downloads file from http://win20all.com/ar/zc2.exe as C:WINDOWSTEMPzc2.exe.
* Connects to "win20all.com" on port 80 (TCP).
* Opens URL: win20all.com/ar/zc2.exe.

[ Security issues ]

* Starting downloaded file - potential security problem.

+++

and if one now takes a look at .... zc2.exe it gives us this littly nicety:

+++

Complete scanning result of "zc2.exe", received in VirusTotal at 02.20.2007, 00:09:26 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.19.2007 TR/Cimuz.B
Authentium 4.93.8 02.19.2007 W32/Cimuz.gen1@dr
Avast 4.7.936.0 02.19.2007 Win32:Agent-ENM
AVG 386 02.19.2007 Proxy.KMB
BitDefender 7.2 02.19.2007 Trojan.Cimuz.J
CAT-QuickHeal 9.00 02.19.2007 no virus found
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 7.0.14.0 02.19.2007 Win32.Agent.ly
eTrust-Vet 30.4.3412 02.19.2007 Win32/Difisim!generic
Ewido 4.0 02.19.2007 Proxy.Agent.ly
FileAdvisor 1 02.20.2007 no virus found
Fortinet 2.85.0.0 02.19.2007 W32/Cimuz.BP!tr
F-Prot 4.2.1.29 02.19.2007 W32/Cimuz.gen1@dr
F-Secure 6.70.13030.0 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Ikarus T3.1.0.31 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Kaspersky 4.0.2.24 02.19.2007 Trojan-Proxy.Win32.Agent.ly
McAfee 4966 02.19.2007 Proxy-Agent.o
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanProxy.Cimuz.NAF
Norman 5.80.02 02.19.2007 W32/Agent.BBAA
Panda 9.0.0.4 02.19.2007 Trj/Cimuz.CZ
Prevx1 V2 02.20.2007 Malicious
Sophos 4.14.0 02.19.2007 Troj/Cimuz-BP
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.20.2007 Trojan.Riler.F
TheHacker 6.1.6.060 02.19.2007 Trojan/Proxy.Agent.ly
UNA 1.83 02.19.2007 TrojanProxy.Win32.Agent.694F
VBA32 3.11.2 02.19.2007 Trojan-Proxy.Win32.Agent.ly
VirusBuster 4.3.19:9 02.19.2007 Trojan.PR.Agent.SCN

Aditional Information
File size: 69632 bytes
MD5: d4862ca3b6f481141a2f3375ee237c81
SHA1: 97fc4d68b2432a2d0e7dd7750b67f3e4b0d9c166
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=0bc376578083
 Patrick

193 Posts
Feb 19th 2007
Thread locked Subscribe Feb 19th 2007
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!