iPhone Unlocking Themed Malware Campaign Spamvertised

UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that  immediately after the brief assessment went public, the cybercriminals moved iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns - startexag.com - Email: venterprize@gmail.com; exposingpics.com, and animezhd.com.

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a "Unlock, Jailbrake and "hack"tivate iPhone 3.1.3" theme.

The spamvertised domain iphone-iphone.info - 188.210.236.181 - Email: iphone-iphone.info@protecteddomainservices.com, is enticing the end user into download the malware from pepd.org/blackra1n.exe - 188.210.236.109 - Email: pepd.org@protecteddomainservices.com.

Detection rate: blackra1n.exe - Trojan.BAT.AACL - Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP - 188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

- Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D19E473-BE30-416B-B5C7-D8A091C41D2F} "NameServer" = 188.210.236.250

- Creates Process - Filename () CommandLine: 
(C:\WINDOWS\system32\NETSH.EXE: interface ip set dns "Local Area Connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns "wireles network connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware. 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.