Navigation


Content

Updated: changelog update e-mail leads to fake anti-virus

Author: .


Posted:
2012-11-30 @ 11:38:00
malware

A round of malicious spam e-mails is flooding inboxes. The e-mails are titled 'Fwd: changelog UPD.', 'Re: Fwd: Changelog as promised (upd.)', 'RE: Antone - Copies of Policies.' or similar. As usual, the sender address is forged.

These particular examples came from IP-address 51.67.38.17, using a forged sender address [email protected]; from maile-ea.linkedin.com (199.101.162.57), sender address [email protected]; and from 190.186.160.5, forged sender address [email protected]. Sender's domain will mostly match recepient's domain to avoid spam filters, but the LinkedIn server seems legit (some hacked account?).
Content example one:

Hi,

changelog update - View

I. SMART

Content example two:

Good morning,

as promised changelog - View 

I. Draper

Content example three:

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.

Antone HARRELL, 

As usual, such short and strange e-mails should make users suspicious. Always verify the destination URL by stopping mouse pointer on a link.
Fwd: changelog UPD e-mail example Re: Fwd: Changelog as promised (upd.) e-mail example RE: Antone - Copies of Policies. e-mail example

The links point to some redirection page on (forwarding.htm or inform.htm) at http://www.offdebicz.sopot.plhttp://www.0631star.cn and http://randaudax44-85.fr. The pages contain a simple JavaScript that forwards to another web site that hosts malicious Java code.
Fwd: changelog UPD e-mail, redirection page at offdebicz.sopot.pl

The column.php page at http://dimarikanko.ru:8080/forum/links/ in example one seems to be down by now, but it exploits a known Java vulnerability to trick victim's PC into downloading and installing ransomware (a fake anti-virus). Similar malicious page at http://podarunoki.ru:8080/forum/links/ is still up.
Fwd: changelog UPD e-mail, malicious page at dimarikanko.ru

Here's a part of the malicious Java code:
Fwd: changelog UPD e-mail, malicious code at dimarikanko.ru

The scareware runs automatically every time the current user logs in. The file itself is stored in the user's Application Data folder as KB00259840.exe (detected as W32/Cridex.E by Microsoft Security Essentials). Another file with random name will be added to Java deployment cache folder and System Restore folder. Both are detected as Win32/Tobfy.I by Microsoft Security Essentials.

That's why you should keep your programs updated. Free anti-virus programs are capable of detecting and removing the threat automatically; and Malwarebytes Anti-Malware Free is also able to remove the ransomware.

Share: Facebook Google+ Twitter LinkedIn StumbleUpon Pinterest E-mail

Browser and plugin check Google Custom Search Donate to keep this site running