“Statement of fees” malware

Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days.

Contents of the email:

Please find attached a statement of fees as requested, this will be posted today. The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gretchen 

The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer.

The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1.

Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625.

When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe.

http://www.******.com/images/kashir.exe

http://www.******.de/bilder/kashir.exe

http://www.******.de/neuhomebilder/kashir.exe

No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer.

Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80.