Malware distrubution on RapidShare: surprise.exe
December 14, 2010 15 Comments
MX Lab, http://www.mxlab.eu, intercepts email that distribute malware on the RapidShare file sharing platform.
The email is send from a rendom choosen spoofed address and has the following short body:
hxxp://rapidshare.com/files/436744023/surprise.exe
The malware file is 384 kB large and is named surprise.exe.
The trojan is known as Win32:Trojan-gen (Avast), Gen:Variant.FakeAlert.47 (F-Secure), Mal/FakeAV-EE (Sophos).
A new windows will be shown on the desktop of the computer:
The following files will be created:
%AppData%\217103390.exe
%Programs%\Security Shield.lnk
The following processes are created:
%AppData%\217103390.exe
%UserProfile%\LOCALS~1\APPLIC~1\217103390.exe
The following Windows registry key will be created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
At the time of writing, only 16 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permlink and MD5: b9cffe050e66da4e383752997eba3acd.
Just got an email like this. Frankly, there will be idiots who open the file!
My secretary just ran the program:
http://rapidshare.com/files/436930117/surprise.exe
It was emailed from a contact we know to a big group of people.
What is the best thing to do to get rid of it?
Thanks
An email containing the link to the surprise.exe in rapidshare was sent without my knowledge from my yahoo account.
I warned all my friends and changed my password. What should I do else?
Thanks
First off you should do a full scan with your current antivirus program. Additionally, you can perform an online virus scan as well by one of the known AV vendors.
If you think your computer is clean, change the password of your account and notify your contacts.
Hope this helps
It happened to me today, but the file size is 15.6 KB. I scanned it with current Norton AV and it said CLEAN. I tried to run it, and got some error message about NTDVM and failure of some 16 bit something or other (not willing to run it again). I do find the runonce key in the registry, but there is nothing in it. The run key contains only normal/expected things.
I do not know if I’m infected. I’ve noticed nothing strange yet (xp32 pro). I’m not sure what to do. Symantec doesn’t seem to have anything on surprise.exe that is recent.
I wonder – should I try to use Norton Go Back or regress back to a previous restore point? I’m getting overdue for a reboot, but I’m not willing to it until I have a handle on this.
I’ll certainly do a full scan tonight.
If anyone has a suggestin, PLEASE send me an email or post.
Thanks
Hi Dan,
If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected
.
If you did run the file, there is a pretty good chance it propagated to others from your address book. It looks like the payload of this is a user-id/password harvester. I would recommend you change ALL your passwords every day until you can get your system restored or have someone check it for you. Your banking or ecommerce passwords are now at risk.
TRIED TO DWNLD REGISTRY SOFTWARE JUST NOW & MY ANTI-VIRUS FREAKED OUT!!!! HAD JUST FINISHED UPDATING MY AVAST,SO IT ONLY MADE TO AS FAR AS “RUN THIS FILE”? BEWARE OF RAPID SHARE!
Hi Dan, If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected
.
Pingback: Spammers are using cloud-based storage services to store malware « eComTechnology
Pingback: eComTechnology
Pingback: Spammers are using cloud-based storage services to store malware « Victoria Biz
Pingback: Experts Warn Of Malware On Cloud Storage Services | eWEEK Europe UK
im sure there is more than that just not being known.
Pingback: Criminals Host Trojans on Cloud Storage Service Rapidshare | My Rapidshare