Hi,
Today my Girl kindly signaled me an e-mail that she has received some time ago. This mail have as subject Cartella esattoriale n° 003 210400360968173 and contains an Executable in attachement called CartellaUnicaTasse.exe
This executable is packed with a layer of UPX so it can be easly unpacked, is also coded in VB6, this malware is actually detected as Trojan-Downloader.Win32.VB.fcd by many AVs but is still working in all its functionalities.
From a fast analysis we can carve two URLs from which are downloaded two virusses:
hxxp://2{CENSORED}.biz/mef/download1.exe
hxxp://2{CENSORED}.biz/mef/download3.exe
Download1.exe -> Trojan-Clicker.Win32.Agent.aqk
Download2.exe -> Trojan.Win32.Small.atd
Download3.exe -> Trojan.Win32.Dialer.qi
loader_mef.exe -> Trojan-Downloader.Win32.VB.fcd
mef.exe -> Trojan-Clicker.Win32.Agent.aqk
I’ll analyze both Download1 and Download3 and I’ll post soon how these craps works 😉
All these Malwares are written by an Italian, the downloader contains the path c:\Programmi\ and the Dialer contains also italian terms.
See you to the next post.. 🙂