Detection rate for the malicious attachment:<\/strong> Upon execution, the sample creates the following processess on the affected hosts:<\/strong> The following Registry Keys:<\/strong> The following Registry Values:<\/strong> As well as the following Mutexes:<\/strong> It then phones back to hxxp:\/\/85.214.143.90:8080\/DPNilBA\/ue1elBAAAA\/tlSHAAAAA\/<\/strong> and to hxxp:\/\/91.121.90.92:8080\/AJtw\/UCyqrDAA\/Ud+asDAA\/<\/strong><\/p>\n We’ve already seen the same C&C (85.214.143.90<\/strong>) used in a previously profiled malicious campaign:<\/p>\n Users are advised to avoid interacting with these emails, and to be extra vigilant for similar social engineering driven malicious campaigns.<\/p>\n Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from this threat.<\/p>\n You can find more about Dancho\u00a0Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" We have recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal\/gang of cybercriminals. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[5593,3881,11559,13961,4065,5723,12733,4501,3875,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10294"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=10294"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10294\/revisions"}],"predecessor-version":[{"id":25643,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10294\/revisions\/25643"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=10294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=10294"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=10294"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=10294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Email_Spam_Malware_Malicious_Software_Social_Engineering_Changelog\"](\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/email_spam_malware_malicious_software_social_engineering_changelog.png\")
<\/a><\/p>\n
\nMD5: e01ea945b8d055c5c115ab58749ac502<\/strong><\/a> – detected by 23 out of 46 antivirus scanners as Worm:Win32\/Cridex.E.<\/p>\n
\nC:WINDOWSsystem32cmd.exe” \/c “C:DOCUME~1<USER>~1LOCALS~1Tempexp1.tmp.bat<\/em>
\nC:Documents and Settings<USER>Application DataKB00927107.exe<\/em><\/p>\n
\nHKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4<\/em>
\nHKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B<\/em><\/p>\n
\n[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””<\/em><\/p>\n
\nLocalXMM000003F0<\/em>
\nLocalXMM00000200<\/em>
\nLocalXMM000003F8<\/em>
\nLocalXMI000003F8<\/em>
\nLocalXMRFB119394<\/em>
\nLocalXMM000005E4<\/em>
\nLocalXMI000005E4<\/em>
\nLocalXMM0000009C<\/em>
\nLocalXMI0000009C<\/em>
\nLocalXMM000000C8<\/em>
\nLocalXMI000000C8<\/em><\/p>\n\n
\n<\/span><\/li>\n<\/ul>\n