CartellaUnicaTasse.exe Italian Malware Reversing

July 15, 2008

Hi,

Long time has passed from my last blog post.

I’ve released CartellaUnicaTasse.exe An Italian Malware Case Study,

the paper can be downloaded here: http://evilcry.altervista.org/tuts/Mw/CartellaUnicaTasse.pdf

See you to the next post šŸ™‚


CartellaUnicaTasse Trojan

June 20, 2008

Hi,

Today my Girl kindly signaled me an e-mail that she has received some time ago. This mail have as subject Cartella esattoriale nĀ° 003 210400360968173 and contains an Executable in attachement called CartellaUnicaTasse.exe

This executable is packed with a layer of UPX so it can be easly unpacked, is also coded in VB6, this malware is actually detected as Trojan-Downloader.Win32.VB.fcd by many AVs but is still working in all its functionalities.

From a fast analysis we can carve two URLs from which are downloaded two virusses:

hxxp://2{CENSORED}.biz/mef/download1.exe

hxxp://2{CENSORED}.biz/mef/download3.exe

Download1.exe -> Trojan-Clicker.Win32.Agent.aqk

Download2.exe -> Trojan.Win32.Small.atd

Download3.exe -> Trojan.Win32.Dialer.qi

loader_mef.exe -> Trojan-Downloader.Win32.VB.fcd

mef.exe -> Trojan-Clicker.Win32.Agent.aqk

I’ll analyze both Download1 and Download3 and I’ll post soon how these craps works šŸ˜‰

All these Malwares are written by an Italian, the downloader contains the path c:\Programmi\ and the Dialer contains also italian terms.

See you to the next post.. šŸ™‚