Malware distrubution on RapidShare: surprise.exe


MX Lab, http://www.mxlab.eu, intercepts email that distribute malware on the RapidShare file sharing platform.

The email is send from a rendom choosen spoofed address  and has the following short body:

hxxp://rapidshare.com/files/436744023/surprise.exe

The malware file is 384 kB large and is named surprise.exe.

The trojan is known as Win32:Trojan-gen (Avast), Gen:Variant.FakeAlert.47 (F-Secure), Mal/FakeAV-EE (Sophos).

A new windows will be shown on the desktop of the computer:

The following files will be created:

%AppData%\217103390.exe
%Programs%\Security Shield.lnk

The following processes are created:

%AppData%\217103390.exe
%UserProfile%\LOCALS~1\APPLIC~1\217103390.exe

The following Windows registry key will be created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

At the time of writing, only 16 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: b9cffe050e66da4e383752997eba3acd.

15 thoughts on “Malware distrubution on RapidShare: surprise.exe

  1. An email containing the link to the surprise.exe in rapidshare was sent without my knowledge from my yahoo account.
    I warned all my friends and changed my password. What should I do else?
    Thanks

  2. First off you should do a full scan with your current antivirus program. Additionally, you can perform an online virus scan as well by one of the known AV vendors.

    If you think your computer is clean, change the password of your account and notify your contacts.

    Hope this helps

  3. It happened to me today, but the file size is 15.6 KB. I scanned it with current Norton AV and it said CLEAN. I tried to run it, and got some error message about NTDVM and failure of some 16 bit something or other (not willing to run it again). I do find the runonce key in the registry, but there is nothing in it. The run key contains only normal/expected things.

    I do not know if I’m infected. I’ve noticed nothing strange yet (xp32 pro). I’m not sure what to do. Symantec doesn’t seem to have anything on surprise.exe that is recent.

    I wonder – should I try to use Norton Go Back or regress back to a previous restore point? I’m getting overdue for a reboot, but I’m not willing to it until I have a handle on this.

    I’ll certainly do a full scan tonight.

    If anyone has a suggestin, PLEASE send me an email or post.

    Thanks

  4. Hi Dan,

    If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected🙂 .

  5. If you did run the file, there is a pretty good chance it propagated to others from your address book. It looks like the payload of this is a user-id/password harvester. I would recommend you change ALL your passwords every day until you can get your system restored or have someone check it for you. Your banking or ecommerce passwords are now at risk.

  6. TRIED TO DWNLD REGISTRY SOFTWARE JUST NOW & MY ANTI-VIRUS FREAKED OUT!!!! HAD JUST FINISHED UPDATING MY AVAST,SO IT ONLY MADE TO AS FAR AS “RUN THIS FILE”? BEWARE OF RAPID SHARE!

  7. Hi Dan, If you feared to be infected, why did you run the file ? Either way, I’m pretty sure the file was corrupted, so I doubt you’re infected🙂 .

  8. […] spam campaign that included a Rapidshare link pointing to surprise.exe, according to security firm MX Lab. The executable file downloads and installs the fake AV Security Shield on the user’s computer, […]

Comments are closed.