Malware: UPS notification

We have received another fake UPS email containing an infected ZIP archive:

Report date: 2011-08-13 18:11:14 (GMT 1)
File name: ups-document-zip
File size: 13203 bytes
MD5 hash: 7d481195826b6e056d5dab4bfb6f58c0
SHA1 hash: ee3eb7fdca41b5c088fcd342fcf9223edf5cdf34
Detection rate: 3 on 5 (60%)
Status: INFECTED

AVG 13/08/2011 10.0.0.1190 FakeAlert
ClamAV 13/08/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 13/08/2011 5.1.0.2 Win32.Outbreak!IK

The extracted file is named UPS_document.exe:

Report date: 2011-08-13 18:11:14 (GMT 1)
File name: ups-document-exe
File size: 29696 bytes
MD5 hash: c601336e5cd39fe3e8889a7b712233bd
SHA1 hash: 45ccbecff7d8e3969b2c79b41a0d860b3d927f64
Detection rate: 3 on 5 (60%)
Status: INFECTED

Here is the malware activity captured by the sandbox:

Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 195.189.226.104 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - 195.189.226.104 - /ftp/g.php
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\OJZMJR51\g[1].htm - 34403D15902E7F6E25374DC697A23388 - 10240 bytes - attr: [] - -

The malware injects code into a system process svchost.exe, most probably to bypass firewalls, and then it makes a GET request to:

195.189.226.104 - /ftp/g.php

Random Posts

Previous Posts