“You have received a gift from one of our members !” emails lead to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received a gift from one of our members !”

The email is send from the spoofed address “gifts@freeze.com”, while the SMTP from address is “_www@pictry.loc”, and has the following body:

Hello friend !
You have just received a screensaver from someone who really cares about you!

This is a part of the message:
“Hi there! It has been a very long time since I haven’t heared anything from you! I hope you enjoy this gift from me that i’ve sent with love … I’ve just found out about this service from Sharon, a friend of mine who also told me that…”
If you’d like to see the rest of the message click here to receive your 3d live Dolphins

===================
Thank you for using http://www.freeze.com ‘s services !!! Please take this opportunity to let your friends hear about us by sending them this screensaver from our personal collection !
==================

The URL in the email leads to hxxp://www.i-tec.it/gift.pif and this malicious file is 844kB large.

This is a screenshot of what will appear on the desktop:

A Backdoor.IRCBot is installed allowing to open a backdoor to the infected computer, combined with Trojan.RunKeys that will make sure that trojans are started up when the computer boots.

The following files will be created:

%Windir%\Temp\spoolsv\a.reg
%Windir%\Temp\spoolsv\aliases.ini
%Windir%\Temp\spoolsv\com.mrc
%Windir%\Temp\spoolsv\control.ini
%Windir%\Temp\spoolsv\Desktop.ini
%Windir%\Temp\spoolsv\flash_icon.png
%Windir%\Temp\spoolsv\ident.txt
%Windir%\Temp\spoolsv\mirc.ico
%Windir%\Temp\spoolsv\mirc.ini
%Windir%\Temp\spoolsv\xmas.jpg
….. and a few more.

The following directories were created:

%Windir%\Temp\spoolsv
%Windir%\Temp\spoolsv\download
%Windir%\Temp\spoolsv\logs
%Windir%\Temp\spoolsv\sounds

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:

194.109.20.90 on port 6664
222.112.183.173 on port 6667

A malware will make a connection with a remote IRC server.

A good advice is not to trust someone who send you a screensaver in general and be extra cautious when downloading a file or following an URL with potential dangerous extensions like .pif.

Virus Total permlink and MD5: eda02dfc6a37f1915c9e1f6ff4a51e89.

2 thoughts on ““You have received a gift from one of our members !” emails lead to malware

  1. Thank you very much for this great article. I have spent hours for finding a good solution for fix it but I have not found the perfect solution to solve it. can you give me recommended what the best antivirus should i use. thanks

    • What we recommend each customer is to invest into anti virus solutions on different levels. First of all, a zero hour anti virus, like MX Lab offers, on the outside perimeter to intercept the most dangerous email based threats.

      Second, a more traditional anti virus solution on the server/mail server and on the desktop clients. Giving a recommendation for this is very difficult and it will all depend on different factors: your budget, your requirements, level of security wanted and so on.

      Furthermore you can also take time to, if you are in a company, take time to inform your employees regarding security issues and potential threats. Avoiding potential risks is quite often a better security measure than an anti virus software package.

      In this particular case, the payload is delivered in an URL and not as an attachment to the email message. You can also secure your network by not allowing to transfer potential malicious files, like a .pif, to be downloaded or be placed in quarantaine until you are sure that the file is safe.

Comments are closed.