By Dancho Danchev

The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.

More details:

Detection rate for the spamvertised archive: MD5: d55f732cc41eaadca1c58b4c3d07e431 – detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed it phones back to:
hxxp:// – ( – Email:

We are aware of two more registered malicious domains using the same email (, dating back to 2010: – back then used to respond to – back then used to respond to

Responding to the same IP ( is also the following domain

Detection rate for the dropped _load.exeMD5: bcadffb2117751fb89a4bb8768681030 – detected by 10 out of 46 antivirus scanners as Trojan.Win32.Generic!BT. It’s interesting to point out that the malware’s PE signature block refers to our colleagues at Mandiant.

Once executed the dropped sample phones back to the following C&C servers:

Another MD5 is known to have phoned back to the same IP ( MD5: 80b3735863cc59d3edc6e7331a231c88.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This