Malware distrubution on RapidShare: surprise.exe


MX Lab, http://www.mxlab.eu, intercepts email that distribute malware on the RapidShare file sharing platform.

The email is send from a rendom choosen spoofed address  and has the following short body:

hxxp://rapidshare.com/files/436744023/surprise.exe

The malware file is 384 kB large and is named surprise.exe.

The trojan is known as Win32:Trojan-gen (Avast), Gen:Variant.FakeAlert.47 (F-Secure), Mal/FakeAV-EE (Sophos).

A new windows will be shown on the desktop of the computer:

The following files will be created:

%AppData%\217103390.exe
%Programs%\Security Shield.lnk

The following processes are created:

%AppData%\217103390.exe
%UserProfile%\LOCALS~1\APPLIC~1\217103390.exe

The following Windows registry key will be created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

At the time of writing, only 16 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: b9cffe050e66da4e383752997eba3acd.

15 Responses to Malware distrubution on RapidShare: surprise.exe

  1. Tony Barbone says:

    Just got an email like this. Frankly, there will be idiots who open the file!

  2. George says:

    My secretary just ran the program:

    http://rapidshare.com/files/436930117/surprise.exe

    It was emailed from a contact we know to a big group of people.

    What is the best thing to do to get rid of it?

    Thanks

  3. Yasmine says:

    An email containing the link to the surprise.exe in rapidshare was sent without my knowledge from my yahoo account.
    I warned all my friends and changed my password. What should I do else?
    Thanks

  4. bartblaze says:

    First off you should do a full scan with your current antivirus program. Additionally, you can perform an online virus scan as well by one of the known AV vendors.

    If you think your computer is clean, change the password of your account and notify your contacts.

    Hope this helps

  5. Dan says:

    It happened to me today, but the file size is 15.6 KB. I scanned it with current Norton AV and it said CLEAN. I tried to run it, and got some error message about NTDVM and failure of some 16 bit something or other (not willing to run it again). I do find the runonce key in the registry, but there is nothing in it. The run key contains only normal/expected things.

    I do not know if I’m infected. I’ve noticed nothing strange yet (xp32 pro). I’m not sure what to do. Symantec doesn’t seem to have anything on surprise.exe that is recent.

    I wonder – should I try to use Norton Go Back or regress back to a previous restore point? I’m getting overdue for a reboot, but I’m not willing to it until I have a handle on this.

    I’ll certainly do a full scan tonight.

    If anyone has a suggestin, PLEASE send me an email or post.

    Thanks

  6. bartblaze says:

    Hi Dan,

    If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected :) .

  7. Jim Geuin says:

    If you did run the file, there is a pretty good chance it propagated to others from your address book. It looks like the payload of this is a user-id/password harvester. I would recommend you change ALL your passwords every day until you can get your system restored or have someone check it for you. Your banking or ecommerce passwords are now at risk.

  8. Skip W. says:

    TRIED TO DWNLD REGISTRY SOFTWARE JUST NOW & MY ANTI-VIRUS FREAKED OUT!!!! HAD JUST FINISHED UPDATING MY AVAST,SO IT ONLY MADE TO AS FAR AS “RUN THIS FILE”? BEWARE OF RAPID SHARE!

  9. Fay Pugh says:

    Hi Dan, If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected :) .

  10. Pingback: Spammers are using cloud-based storage services to store malware « eComTechnology

  11. Pingback: eComTechnology

  12. Pingback: Spammers are using cloud-based storage services to store malware « Victoria Biz

  13. Pingback: Experts Warn Of Malware On Cloud Storage Services | eWEEK Europe UK

  14. mixtapes says:

    im sure there is more than that just not being known.

  15. Pingback: Criminals Host Trojans on Cloud Storage Service Rapidshare | My Rapidshare

Follow

Get every new post delivered to your Inbox.

Join 317 other followers

%d bloggers like this: