Trojan-Downloader.Win32.VB.fcd | Evilcodecave's Weblog

CartellaUnicaTasse Trojan

June 20, 2008

Hi,

Today my Girl kindly signaled me an e-mail that she has received some time ago. This mail have as subject Cartella esattoriale n° 003 210400360968173 and contains an Executable in attachement called CartellaUnicaTasse.exe

This executable is packed with a layer of UPX so it can be easly unpacked, is also coded in VB6, this malware is actually detected as Trojan-Downloader.Win32.VB.fcd by many AVs but is still working in all its functionalities.

From a fast analysis we can carve two URLs from which are downloaded two virusses:

hxxp://2{CENSORED}.biz/mef/download1.exe

hxxp://2{CENSORED}.biz/mef/download3.exe

Download1.exe -> Trojan-Clicker.Win32.Agent.aqk

Download2.exe -> Trojan.Win32.Small.atd

Download3.exe -> Trojan.Win32.Dialer.qi

loader_mef.exe -> Trojan-Downloader.Win32.VB.fcd

mef.exe -> Trojan-Clicker.Win32.Agent.aqk

I’ll analyze both Download1 and Download3 and I’ll post soon how these craps works 😉

All these Malwares are written by an Italian, the downloader contains the path c:\Programmi\ and the Dialer contains also italian terms.

See you to the next post.. 🙂

Leave a Comment » | (In)Security, Reverse Code Engineering | Tagged: Cartella esattoriale n° 003 210400360968173, CartellaUnicaTasse.exe, Download1.exe, Download2.exe, Download3.exe, loader_mef.exe, mef.exe, Trojan-Clicker.Win32.Agent.aqk, Trojan-Downloader.Win32.VB.fcd, Trojan.Win32.Dialer.qi, Trojan.Win32.Small.atd | Permalink
Posted by evilcodecave

Evilcodecave’s Weblog

CartellaUnicaTasse Trojan

Archives

Categories