Rogue security software XP Total Security spreads by email

We have received an email that states we have an unread message and someone has sent us a private message. But it does not state if the unread message is from a social network, it only says it comes from SecureMessage.System, as you can see from this image:

Message Header

The body of the email is this:

Email Body

Inside the body of the email there are 4 links in total that are clickable and we have extracted 3 different malicious and very dangerous URLs that are all active, as of the time of writing this message, and all of them point to a remote file named link.php:

hxxp:// datingcool2012 . asia/ link.php
hxxp:// site-dating2010 . info/ link.php
hxxp:// datingbest2011 . asia/ link.php

We have analyzed the activity of one URL and we can clearly see that the malicious URL leads to a web page that tries to scare the user by displaying an alert window stating the PC is infected by trojans and spyware, a well known method used to spread rogue security software:

XP Total Security Alert Window

When the button “Clean computer” is clicked, we are prompted to download a file:

Download XP Total Security File

File: freescan_seven_2013_exe
Size: 274624 bytes
MD5 Hash: 42DD7BD51C37B15965E67357517BFCBF
SHA1 Hash: 8D2D541CD4E3C7D0E9246940AA21DF84DAC06C49
SHA256 Hash: 7D6918FAA12EA588D6F7838267C60C6F8A3F51D5AC27A894D472F74E8B037CFB
SHA384 Hash: B7EEDBEF30B55276EAB875CABE5BFE33AD7A3B3DE1D772EF78B06651FA906362EACD6845DD2BAC3C5C7C2BD8E541C1EA
SHA512 Hash: EAEA7C1623F27BA75D11A6A2F1174DCF10B89461A5185C95E5E66FBD9A6400218247E8262DC6F3D96D88ED46A1877A657AB84444EEFA3B5608B9BE9E08569366

When the file is executed, it installs the rogue security software XP Total Security:

XP Total Security GUI

This is the network traffic generated by the malicious web page:

GET /link.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
 
GET /?affid=00110&promo_type=5&promo_opt=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
 
GET /images/alert.png HTTP/1.1
Referer: hxxp:// datingcool2012 . asia/?affid=00110&promo_type=5&promo_opt=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07
 
GET /index/two/ HTTP/1.1
Referer: hxxp:// datingcool2012 . asia /?affid=00110&promo_type=5&promo_opt=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07

This is the data logged by the sandbox after the malicious file has been executed:

Process Created - C:\WINDOWS\explorer.exe - %Desktop%\freescan_2013.exe - Unknown Publisher - A413A21AF671DD1DA45E3CFA81515D11 - 274624 bytes
File Modified - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe
Process Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - Unknown Publisher - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes
File Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes - attr: [-hidden] - PE
File Deleted - %LocalAppData%\epi.exe - %Desktop%\freescan_2013.exe - 274624 bytes
Write Registry - %LocalAppData%\epi.exe - \REGISTRY\USER\S-1-5-21-1177236615-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
Connection Established - %LocalAppData%\epi.exe - TCP - 212.48.8.140 - 80
Connection Established - %LocalAppData%\epi.exe - UDP - 192.168.119.2 - 53
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44623
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462a
Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 1116
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462f
Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 80
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44635

New malicious URL logged:

hxxp:// statav2013 . com / a6a7ccfae1135dbe00110050d44635

This is the malicious executable file installed by the rogue software:

XP Total Security Executable File

Links to the scan reports generated by URLVoid:

http://www.urlvoid.com/scan/datingcool2012.asia/
http://www.urlvoid.com/scan/site-dating2010.info/
http://www.urlvoid.com/scan/datingbest2011.asia/
http://www.urlvoid.com/scan/mailstorybig.info/
http://www.urlvoid.com/scan/statav2013.com/

Other scan reports related malicious URLs of XP Total Security:

http://www.urlvoid.com/scan/pyxes.asia/
http://www.urlvoid.com/scan/terlies.asia/
http://www.urlvoid.com/scan/purveying.asia/

Random Posts

Previous Posts