Death of Michael Jackson inspires spammers and malware distributors

Spammers and malware distributors are trying to take advantage of the death of Michael Jackson by sending out email campaigns with subject and/or body related to Michael Jackson while malware distributors try to infect computers by offering a URL to a site that offers a video of the death of the “King of pop”. Here is a brief overview.

Canadian Pharmacy spam

One of the campaigns contains the subject “Michael Jackson dead? NO!!!” and the body content:

Michael Jackson dead? NO!!!
Open attached file and read!!!

The attachment itself appears to be harmless and contains the HTML refresh tag

<meta http-equiv=’Refresh’ content=’0; url=hxxp://addfamous.com/’ />

This will redirect your browser to the Canadian Pharmacy web site.

Email harvesting

Another campaign has the intention to harvest email addresses and is coming from a bogus email account but the reply to is a ***@live.com account. The email claims to have special and confidential information regarding the death of Michael Jackson. A sample of the content:

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secretive to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us

The call-to-action is to reply to this message. When doing so you will confirm the spammer that the email has been received and read and therefore is active.

Malicious spam

This spam email offers a link to a YouTube video but actually sends the recipient to a Trojan Downloader hosted on a compromised web site. The file is Michael.Jackson.videos.scr. When downloaded and executed 3 information-stealing components are downloaded and installed by the malware. One of the files has the name michael.gif and has a very low AV detection rate.

The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

Virus Total permlink and MD5: 664cb28ef710e35dc5b7539eb633abca.

Student Loans

A spam with the subject and the body content “Micheal Jackson History”, notice the wrong spelling of his firstname, leads to hxxp://loansofworld.blogspot.com/. This message was sent through Google Groups.

Contact databases

An email with the subject “Michael Jackson: last farewell from DataForYou” is attracting readers with a subject related to Michael Jackson but instead offers contact databases.

Notice the TinyURL inside the email content to hide a direct link to the web site. TinyURL has already removed the URL but  this example shows that you need to be carefull with URLs in emails where a service like TinyURL is shortening the full URL. Try to use a preview feature first when you don’t trust the source is our recommendation.

Dear Sirs,
in our site you have access, through the cheapest prices you have ever seen,
to a vast database of international Companies, divided by region, province, city or area of activity.

The databases are divided into two broad categories.

Archives of International Companies with E-mai only

The archives are divided by country and include a list of e-mail only.
The archives are in TXT format and they are easy to be used because
this format is the typical one used for data import. You can also find
more than one email, relferring to different people working in the same
structure, for the Companies which have provided them.

International Archives of active domains with MX record only

The archives are divided by size and include a list of domains only.
The archives are in TXT format and they are easy to use because this
format is the typical one used for data iimport. All the domains have
an active MX record; this means that each domain is directly linked
with working email accounts.

Visit our site at
hxxp://tinyurl.com/infinitemail

Don’t lose this incredible opportunity for increment your business.

InfiniteMail

Customer Care

If you no longer want to receive our email reply here:
mailto:remove@mediasch0pping.com

National Survey Panel’s Gift Program

What killed Michael Jackson?

Press here:
hxxp://totjebiok.com/tr.php?72928+*****@*****.com

Tell us. Then complete the program requirements for a FREE 7 album collection of MJ’s solo career.

These guys are using the death of Michael Jackson to attract some people to fill in some information and in return you can receive his albums for free.

June 27, 2009
Categories: Spam, Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

Postcard greetings leads to site that hosts malware

MX Lab intercepted a few samples a new postcard greeting email with the subject “You received a new greeting!!”.

The body of the email:

You have just received a postcard Greeting from someone who cares about you…

Just click here to receive your Animated Greeting !

Thank you for using www.Greetings.com services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !

The message doesn’t contains any malware attached in a zip file unlike the Hallmark eCard mailings and others but there is URL pointing directly to a malicious host: hxxp://webmail.*****.com.br/logs/Greeting.jpg. The threat is named VBS.Obfuscated-gen[Trj] when requesting the online Greetings.jpg file.

June 14, 2009
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

Set up notification from The Bat

Emails with the subject “TheBat Setup Notification” or “Outlook Express Setup Notification” have malware attached in the form of a zip file named client_update.zip. The malware is the extracted file client_update.exe and is the trojan Mal/WaledPak-A (Sophos), W32/Trojan3.AYA (F-Prot), Trojan-Downloader.Win32.FraudLoad.epb (Kaspersky) or Win32/TrojanDownloader.Small.OPX (Norman).

The content of the email:

You have (9) message from TheBat.

Please re-configure your TheBat again.

Download attached setup file and install.

Virus Total permlink and MD5: c81ba436d85bba944adb74b86c90fae8.

June 12, 2009
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

Important Microsoft Security Update by email is malware

We all know by now, I do hope so, that Microsoft distributes it’s updates throught their automated updated feature inside the Windows OS or by the Windows Update web site available in the Start menu. If you receive an email from Microsoft regarding an important security update that contains a link to some executable you should be aware that this is malware.

MX Lab intercepted a new sample of such an emails from “Microsoft Corporation <securitydept@microsoft.ssl.com>” with the subject “Important Windows Xp/Vista Security Update!”.

The message warns about a recent outbreak of the Conflicker worm that has infected 15 million Windows users and the fact that this worm has already been updated and harder to detect. The alleged security update notification recommend to install the removal tool remtool_conf.exe that can be downloaded from hxxp://windowsupdate.microsoft.com.ssl3.pop3.ru/remtool_conf.exe.

In the email are clear instructions on how to install the remtool_conf.exe:

Usage Instructions:
download file
click remtool_conf.exe and let it scan..
you are advised to disable your already existing antivirus software prior to running the removal tool to avoid conflicts.

The message also points to an online article of February 2009 at Network World to give the reader of the message the idea that this is a real threath. Well, the Conflicker worm is a threat but this removal tool won’t come to the rescue when your computer is infected.

When analysing the malware we got the following installation screen with the title Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA.

The malware will create the following files:

%Temp%\nsf3.tmp\webexplorer.exe
%Programs%\Startup\winupdate.exe
%System%\fixbrisa.log

And a directory at:

%Temp%\nsf3.tmp

New processes will be started:

fixbrisa.exe
webexplorer.exe
ns9.tmp

The Windows process wscsvc will be stopped and that’s the Windows Security Center.

The host hxxp://makemymoneys.com/install/winupdate.exe contacted. This is another malicious file of about 130 kB known as Suspicious.MH690 by Symantec.

June 10, 2009
Categories: Malware, Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

Phishing PayPal email includes web form

One of the latest phishing emails with the subject “PayPal Forma ID PP697″ caught our attention because of the fact that it included a complete HTML form inside the email. The phishing is regarding a refund request and the amount would be transferred to your credit card within 5 or 7 days.

The form seduces you to submit not only your credit card details but also your email and PayPal password. This could directly lead to the hacking and abuse of your PayPal account.

The form sends the filled in details to the host hxxp://www.swisstools.net/mailform.asp and when processed it will redirect you to the Italian PayPal web site. When we tested this we got a Microsoft OLE DB Provider for ODBC Driver error as a result.

June 3, 2009
Categories: Phishing . Tags: , , . Author: mxlab . Comments: Leave a Comment

World Business Guide is using misleading marketing trick

Today, MX Lab received an email regarding the “World BusinessGuide” directory. At first there seems nothing wrong with the mailing but when looking further there are some points that need your attention.

The messages is from “World Business Register – info@easyhomecorporation.com” and is having the subject “Business Registration 2009/2010″. The body of the email:

Ladies and Gentlemen.

In order to have your company inserted in the registry of World Businesses
for 2009/2010 edition, please print, complete and submit the enclosed
form (PDF file) to the following address:

WORLD BUSINESS GUIDE
P.O. Box 2021
3500 GA Utrecht
The Netherlands

email: register@wbgtoday.net
FAX: +31 20 524 8107

Updating is free of charge!

If you are not the intended recipient, please submit an email to
unsubscribe@wbgtoday.net
Your request shall be dealt with accordingly.

Attached is a PDF document that needs to be printed, filled in and sent to an PO Box address in The Netherlands.

When reading the PDF document carefully you can find the following:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS EURO 995.

While the email itself states “Updating is free of charge!” you will have to pay € 995 each year with a minimum 3 year period by signing the document. This is quite misleading if you ask me.

A few more observations that should warn you about a possible scam:

  • the email is sent from easyhomecorporation.com while there is no web site on this place so the registration of this domain is purely for spoofine the real origin.
  • and more important, the document needs to be sent to a PO Box in The Netherlands while the company is International Directories Group Ltd  located in Spain according to the document.

In the past we have received similar letters by regular post here in Belgium and some organisations like Unizo have instructions (in Dutch) on how to report the illegal and deceptive practices to the authorities.

If you have received such a email, or regular mail, don’t sign the document, sent it to the trash or report to your local authorities.

June 3, 2009
Categories: Various . Tags: , , . Author: mxlab . Comments: 4 Comments

New ZBot trojan detected in UPS tracking emails

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

May 27, 2009
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

New Western Union MTCN trojan

MX Lab intercepted a new ZBot trojan today that is being distributed in the famous “Western Union MTCN” format. The message subject is “Western Union Transfer MTCN: 5815328212″. The attached file is a compresses zip archive WesternUnion_SPL90710021.zip containing the malware WesternUnion_SPL90710021.exe. Please note that the numbers in the subject line and/or attachment and executable can change.

The body of the email contains:

Dear customer!

The money transfer you have sent on the 20th of April wasn’t received by the recipient.
According to the Western Union contract the transfers which are not collected in 15 days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

When we submitted the virus sample to Virus Total, on 26/05/2009 at 21:27:10 (UTC), we only had 6 of the 40 AV engines detecting the malware. When looking at the details and virus naming we assume that they are being detected by some heuristic features that the AV engines have: Gen:Trojan.Heur.3004FB9EBC (BitDefender, GData), Suspicious file (Panda), (Suspicious) – DNAScan (CAT-QuickHeal). A-Squared and Microsoft have a real virus name: Gen.Trojan!IK and TrojanDownloader:Win32/Bredolab.G.

The trojan will create the following files:

%AppData%\wiaserva.log 
 %Temp%\WER699f.dir00\appcompat.txt 
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp 
%Temp%\WER699f.dir00\manifest.txt 
%System%\wbem\grpconv.exe 

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total permalink and MD5 hash: 53d15dc652a2534572981bab1e2eddf3.

May 26, 2009
Categories: Viruses . Tags: , , , , , . Author: mxlab . Comments: Leave a Comment

Health.com branding used in spam

A few days earlier we reported that the branding of Auslogics Software was being used in a spam campaign. We now noticed that Health.com has been subject of such abuse.

MX Lab intercepted spam messages with a Health.com branding. The image below shows us a mailing template with the Health logo, an image for viagra and other pills, along withlinks to Twitter, Facebook and YouTube, opt-out links, privacy policy and the address of Health.com.

Spammer have replaced each of the links with hxxp://www.blackaringo.ru in this campaign that redirects to hxxp://newpharmshappy.com/. This site is from our best friends, who else, the Canadian Pharmacy.

May 19, 2009
Categories: Spam . Tags: , , . Author: mxlab . Comments: 1 Comment

Belgian court condemns 18 persons regarding Nigerean spam

The correctional court of Brugges, Belgium, condems 18 persons with prison sentences from 2 to 6 years for sending out fraudulent spam between Februay 2007 and November 2008.

In the Nigerian spam emails they claimed to have a fund in Ghana where a substantional amount of money was blocked after a woman died in a car accident. The small fortune of 35 million Euro could be released with the help and a contribution of the addressee.

The police could arrest the gang after a tip and a thorough investigation of mobile phone conversations.

May 18, 2009
Categories: Spam, Various . Tags: , , . Author: mxlab . Comments: Leave a Comment

Previous page Next Page »