We have received a suspicious email:
Received: from unknown (HELO userb) (***@firstname.lastname@example.org) Subject: Cotacao solicitada. MIME-Version: 1.0 Date: Sat, 11 Feb 2012 17:56:37 -0300
Email message is in HTML and the page source looks like:
As you can see, from this code:
<A href="hxxp://groupnetvect .co.de">relatorio1379-pdf.</A> (63kb)<BR>
The A HREF link redirects the user to an external (malicious) website:
The website groupnetvect .co.de is hosted at Hetzner Online AG and its current IP address is 22.214.171.124 (www8.subdomain.com). The server machine is located in Germany (DE) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.DE and the name groupnetvect. The organization is Hetzner Online AG.
HTTP/1.1 302 Found Date: Sun, 12 Feb 2012 13:01:07 GMT Server: Apache X-Powered-By: PHP/5.3.6 Location: hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php Vary: Accept-Encoding Content-Length: 21 Content-Type: text/html; charset=iso-8859-1
The user is redirected again to another external (malicious) link:
hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php
The website consumer-electronics .junderhilltherapy .com is hosted at HostDime.com and its current IP address is 126.96.36.199 (west.superdomainzone.com). The server machine is located in United States (US) and in the same server there are hosted other 1 websites. The domain is registered with the suffix COM and the name junderhilltherapy. The organization is HostDime.com.
HTTP/1.1 200 OK Date: Sun, 12 Feb 2012 13:03:05 GMT Server: Apache X-Powered-By: PHP/5.2.17 Content-Disposition: attachment; filename="relatorio.scr" Connection: close Content-Type: application/log
Now we can see that a file “relatorio.scr” is prompted to be downloaded:
File: relatorio_scr Size: 23042 bytes MD5: BFE2E1EB1C8780149C40FAE98C353BCA SHA1: 4C69371B15E9738FC663A381C1841315FAC030A0 SHA256: 2DF1080C551E9603F2B8F197DE62D4A643B12BF31F6D3CEE47C0649037C51CF6 SHA384: E30FBFFAD035E7F35BA62B4C6689438ED9A66C3D2F494F4896387EE89C63E445F9AA07FF0D0BF4D1C84EAE282D3F5040 SHA512: 8D9D7B7D4FBF3ACBF984B88CB027D44E98EE997915E2823D61A882B1FDD6D7DD4F5630B518D2C602649D4D42D74DAF863804924D57AC30E8B0D33161D31F706C
The file is detected by Antivirus as Suspect.Trojan.Generic.FD-1 (ClamAV), Trojan-Banker.Win32.VB!IK (Emsisoft), Trojan-Banker.Win32.VB (Ikarus).