MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received a gift from one of our members !”
The email is send from the spoofed address “email@example.com”, while the SMTP from address is “firstname.lastname@example.org”, and has the following body:
Hello friend !
You have just received a screensaver from someone who really cares about you!
This is a part of the message:
“Hi there! It has been a very long time since I haven’t heared anything from you! I hope you enjoy this gift from me that i’ve sent with love … I’ve just found out about this service from Sharon, a friend of mine who also told me that…”
If you’d like to see the rest of the message click here to receive your 3d live Dolphins
Thank you for using http://www.freeze.com ‘s services !!! Please take this opportunity to let your friends hear about us by sending them this screensaver from our personal collection !
The URL in the email leads to hxxp://www.i-tec.it/gift.pif and this malicious file is 844kB large.
This is a screenshot of what will appear on the desktop:
A Backdoor.IRCBot is installed allowing to open a backdoor to the infected computer, combined with Trojan.RunKeys that will make sure that trojans are started up when the computer boots.
The following files will be created:
….. and a few more.
The following directories were created:
Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:
184.108.40.206 on port 6664
220.127.116.11 on port 6667
A malware will make a connection with a remote IRC server.
A good advice is not to trust someone who send you a screensaver in general and be extra cautious when downloading a file or following an URL with potential dangerous extensions like .pif.
Virus Total permlink and MD5: eda02dfc6a37f1915c9e1f6ff4a51e89.