May 31, 2013Dancho Danchev By Dancho Danchev
 

Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K, in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal.

More details:

Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 – detected by 25 out of 47 antivirus scanners as VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.

Once executed, the sample creates an Alternate Data Stream (ADS) – C:Documents and SettingsUserApplication Datadbgbsheshabeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.

It then creates the following files on the affected hosts:
C:Documents and SettingsUserApplication Datadbgbsheshabeegeg.exe
C:DOCUME~1UserLOCALS~1TempIMG.JPEG.exe
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32wbemwbemdisp.TLB

And the following Mutexes:
3161B74B4743E1643757A7220636106970144646
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004

It then phones back to the following C&C server:
hxxp://85.143.166.158/fexco/com/index.php

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button
1 comments
schultzybeckett
schultzybeckett

After you have worked with people a while, they may become your friends. Then you have friends from church, from your school, and friends you have met in a wide variety of ways. Social networking sites are about being social, so there are sites purely for allowing users to stay in touch with people whom they know

Schultzy http://www.fixithere.net/o2-customer-services/

true