“Statement of fees” malware
September 8, 2008 7 Comments
Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days.
Contents of the email:
Please find attached a statement of fees as requested, this will be posted today. The accommodation is dealt with by another section and I have passed your request on to them today.
Kind regards.
Gretchen
The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer.
The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1.
Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625.
When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe.
http://www.******.com/images/kashir.exe
http://www.******.de/bilder/kashir.exe
http://www.******.de/neuhomebilder/kashir.exe
No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer.
Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80.
COuld you please confirm if Panda latest version is 100% guaranteed againts “statement of fees” virus?
Thank you for your prompt answer
You are asking this at the wrong place. Direct your question directly to Panda or search their web site for more information wether they have included detection in their virus definitions for this virus.
Pingback: On-Site-Solutions.com » Blog Archive » Statement of Spam
Can you tell me if a OS (XP home) is infected, can y recover it, by putting de harddisk in a other computer setting as slavedisk and remove the files safely that you have manchend? Or will it infect my own OS at that time? And will this work this way or do y need recovery programs to recover data and/or OS?
Thank you for your reply.
Jumpie from belgium
I’m not a virus removal expert – I focus on protection – but I would not recommend placing a hard drive from an infected computer in another computer. In general, an infected machine should be isolated from everythign else, even the internet. The malware can install other stuff over the internet or a hacker can be using your system through a backdoor.
A fact is that the services that the virus will execute at booting will not be present at the new computer and that the files on your slave disk aren’t used and inactive but if you accidentaly execute a file it’s possible that you infect your clean computer as well. I should try this later on.
What I should try first is to clean up with an updated anti virus software – it’s possible that you have to wait for an new virus definition. Or use a specialized malware removal software. Some people have more succes with such software than an anti virus program.
On this blog some people have posted some tools and solutions in their comments. Or remove the virus manually. You can find some guides on how to remove certain viruses when Googling around.
If all this fails, be sure, starts from a new formatted hard drive.
Thank you for the reply and the suggestions, but i think that i dont have another option than put the infected harddisk on a working computer, because only what my friend is getting is the bleu screen. better known as the dead screen.
But i will inform me ferther on the net.
Thanks for all
Jumpie belgium
That’s not good. In this case you are limited in what you can do. You can try to remove the virus by hand or with an up to date virus scanner with the other computer in this case by mounting in the hard drive. If this fails I’m afraid you’ll need to reinstall your OS.