Hallmark E-Card and IKEA Fake Emails = Storm Bot

Today I received again an email from Hallmark E-Card with a suspicious ZIP file attached and with the following message:

Screenshot of file attached

A file named, as always, postcard.zip and of less than 200 KB. If we extract the ZIP file, we see a new file with an extension as .SCR and with a filename length of more than 80 characters (most chars are space). We can see that the first extension is .PDF but if we try to rename the file we can see the real extension (.SCR):

Screenshot of SCR Extension

Report Generated 16.1.2009 at 13.20.08 (GMT 1)
Filename: postcard.pdf.scr
File size: 342 KB
MD5 Hash: D3C8D456610EA5EC89CE11D10B18195A
SHA1 Hash: 87D47426C5BBF2AAC5DD2A150F8C924D5CD17691
CRC32: 4093590608
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
Detection Rate: 12 on 24 (50 %)

Antivirus Sig Version Result
a-squared 15/01/2009 Riskware.Win32.CeeInject!IK
Avira AntiVir 7.1.1.124 TR/Dropper.Gen
Avast 090115-0 –
AVG 270.10.7/1893 I-Worm/Generic.COW
BitDefender 16/01/2009 –
ClamAV 14/01/2009 –
Comodo 932 –
Dr.Web 16/01/2009 –
Ewido 16/01/2009 –
F-PROT 6 20090115 W32/EmailWorm.OJL
G DATA 19.2450 Email-Worm.Win32.Agent.gfm A
IkarusT3 14/01/2009 VirTool.Win32.CeeInject
Kaspersky 16/01/2009 Email-Worm.Win32.Agent.gfm
McAfee 13/01/2009 W32/Xirtem@MM virus
MHR 16/01/2009 Virus Found – detect rate 37%
NOD32 v3 3771 Win32/Injector.AO
Norman 2009/01/13 –
Panda 07/01/2009 –
QuickHeal 16 January, 2009 I-Worm.Agent.gfm
Solo Antivirus 16/01/2009 –
Sophos 16/01/2009 Mal/CryptBox-A
TrendMicro 769(576900) –
VBA32 16/01/2009 –
VirusBuster 10.100.25 –

Following there is the header of the email:

Received: from smtp.knology.net (smtp.knology.net [24.214.63.101])
Return-Path: postcards@hallmark.com
Received: from unknown (HELO smtp.iw.net) (24.214.63.103)
by smtp3.knology.net with SMTP; 15 Jan 2009 23:41:34 -0000
Received: from unknown (HELO hallmark.com) (64.179.143.132)
by pwsmtp1.iw.net with SMTP; 15 Jan 2009 23:39:21 -0000
From: postcards@hallmark.com
Subject: You ve received A Hallmark E-Card!
Date: Thu, 15 Jan 2009 17:37:38 -0600

When the program is executed, it creates the following file:

1
C:\WINDOWS\System32\juschd.exe

Screenshot of the file

While the file juschd.exe is running a new application, with an image related to postcards and with the title as postcard, has started in the computer:

Screenshot of the new started application

The malware sent initially a GET request to an external website to get the IP Address and then started the following Internet traffic on port 25 to send emails:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Protocol          : TCP
Local Address     : 82.204.219.220
Local Port        : 25
Service Name      : smtp
 
554 SMTP service not available (err002temp)
 
Protocol          : TCP
Local Address     : 195.214.192.100
Local Port        : 25
Service Name      : smtp
 
220 UKR.NET ESMTP Fri, 16 Jan 2009 14:32:36 +0200
EHLO hallmark.com
250-mx1.ukr.net Hello XXX [xx.xx.xx.xx]
250-SIZE 26214400
250-8BITMIME
250-PIPELINING
250 HELP
MAIL FROM: postcards@hallmark.com
250 OK</p>
RCPT TO:xxxxxx@ukr.net
451 http://ukr.net/mta/std3.html?xx.xx.xx.xx
421 mx1.ukr.net lost input connection
 
Protocol          : TCP
Local Address     : 94.100.176.20
Local Port        : 25
Service Name      : smtp
 
220 Mail.Ru ESMTP
EHLO IKEA.com
250-mx66.mail.ru ready to serve
250-SIZE 31457280
250 8BITMIME
MAIL FROM:HomePlanner@IKEA.com
250 OK
RCPT TO:xxxxx@mail.ru
221 mx66.mail.ru closing connection

From the above traffic we can see the malware is trying to spread itself by sending again the same email I received to other email addresses using my IP Address as sender.

Random Posts

Previous Posts