Thursday, March 10, 2011

Spamvertised DHL Notification Malware Campaign

A currently spamvertised malware campaign is brand-jacking DHL for malware-serving purposes.

Sample filename: document.zip => DHL_notification.exe
Sample message: Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd - notice the typo.

DHL_notification.exe - Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8%)
MD5   : bda72e57d263241d52b1fe2ef014cba9
SHA1  : fa9dc14b100f1bf5124cd23c322c109b38a70675
SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a1edd69a02e3f8a70

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469,  Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
    - erherg34gsafwe.com/ftp/ftpplug2.dll
    -     erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

This post has been reproduced from Dancho Danchev's blog.