Explorer SPAM Detector for Public is malware

MX Lab intercepted a few messages with the subject “Systematic Security Software : Explorer SPAM Detector for Public” send from the spoofed address Systematic Inc <soft@systematic.com>.

The email offers a software tool called Explorer Spam Detector from Symantec:

Systematic launched a new program SPAM detector Explorer, the program automatically detects if a page is original or not, if you open a mail if the sender is not original is detected. If you are tired of spammers and you are tired as your accounts will be broken, to lose money on paypal or lose auctions, Download this program and all your data, all your accounts will be safe. This program is free, you do not need to buy it, you do not need a license.

Below is an actual screenshot of the email:

The included URLs wil take you to a web site where the malware is hosted: hxxp://systematic.armed.us/download/Setup.exe.

The malware is approx. 1,5 MB when downloaded and is named Setup.exe.

Submission to Virus Total gives us the result that only 1 of the 40 AV engines did detect the malware: Symantec AV engine version 20091.2.0.41. The name Suspicious.Insight is a detection for files from the Symantec’s reputation-based security technology so this is not the name of the malware.

When executed on a computer, the system gets infected and a new window is created:

With the appearance of this window on your system you could have the indication that the software didn’t installed correctly. By now, your computer is infected.

Folowing files are created:

%AppData%\Microsoft\System\Services\[filename of the sample #1] where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The file %System%\drivers\etc\hosts is modifed and following folders are created:

* %AppData%\Microsoft\System
* %AppData%\Microsoft\System\Services

A Windows registtry is added so that the malware is run each time the computer boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* [filename of the sample #1] = “%AppData%\Microsoft\System\Services\[filename of the sample #1]“

The HOSTS file is updated with the following URL-to-IP mappings:

127.0.0.1 www.virscan.org
127.0.0.1 virscan.org
127.0.0.1 221.207.255.61
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 74.53.201.162
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 91.121.223.25
127.0.0.1 www.xxbots.net
127.0.0.1 xxbots.net
127.0.0.1 208.43.26.70
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 66.36.241.92
127.0.0.1 forums.malwarebytes.org
127.0.0.1 74.63.217.106
127.0.0.1 www.codespace.net
127.0.0.1 codespace.net
127.0.0.1 174.133.4.108

As you can see, with this action you will not longer have access to the web sites that are listed here. Due to the HOSTS file change, all request to visit these sites will point you back to your local computer on 127.0.0.1. This is in order to avoid that the user can visit these sites for information or for downloading anti virus/malware software. If you are infected with this malware, make sure that you modify the HOSTS file.

The possible country of origin for this malware is Russia.

Virus Total permlink and MD5: 97ff431ca077c59d76d147832260b7ef.