Emails regarding updating your mailbox leads to the malware flashinstaller.exe


MX Lab intercepts emails with an embedded URL that leads to a web site where  you will have the notice “You don’t have the latest version of Macromedia Flash Player.” and you can download the file flashinstaller.exe. The file itself is malware and listens to the name Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft).

Possible subject are (where * stands for characters of the email address or domain name):

dear owner of ****@*****.com
for ****.com email service user
for ****@****.com email service user
please update your ****@****.com mailbox

The content of the body:

Dear owner of the ****@****.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

hxxp://accounts.****.com.verzzg.org.uk/webmail/settings/noflash.php?mode=standart&id=591741907__***lotsofnumbershere***__827&email=****@****.com

The is the screenshot of such a site:

What we notice is, it’s a bit hilarious and looks like the author has been on Mars for quite some time, is the usage of the company name Macromedia. As we all know by now, Macromedia has been taken over by Adobe and the brand name Macromedia isn’t used anymore.

Anyway, the URL leads to the 124 kB big file named flashinstaller.exe. The malware has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The system file %System%\sdra64.exe is created, hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and a hidden directory %System%\lowsec is created.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe and %ProgramFiles%\internet explorer\iexplore.exe in combination with Window registry edits.

Connection with a remote host at 193.104.27.42 on port 80 is established and the following URLs are requested:

* http://193.104.27.42/livs/rec.php
* http://193.104.27.42/lcc/ip2.gif
* http://193.104.27.42/ip.php

Virus Total permlink and MD5: f6a5c4ceed2c45268b083488faecb10a.

6 thoughts on “Emails regarding updating your mailbox leads to the malware flashinstaller.exe

  1. I received this email yesterday.
    As I am not only the owner of the domain name but also the guy that set it up , getting a email from my own support (me) at centerlinx dot com made me laugh.

    I immediately secured the email in my junk box and searched the internet to find details on this email.

    The email was never opened ( preview screen only) and has been deleted off my system.

    John

Comments are closed.