Missed voice message - Fake WhatsApp - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake WhatsApp email claims you missed a voice message and wants you to download it in the attachment.

Attached zip file contains an exe virus or trojan horse.

Spoofs magma.net or others in headers.

While the ASPROX botnet made WhatsApp fashionable to fake for malware emails, THIS series is from cutwail spambots, not Asprox bots.


Subject:  Missed voice message, "6:28"PM

WhatsApp

New voicemessage.

Please download attached file
Description
Jan 09 1:25PM PM
08 seconds

autoplay
Whats App

Missed-message.zip (12)

 Picture of fake WhatsApp virus email with attachment.


Header Examples:

Spoofs magma.net in From headers, and something else like nacha.org left in Envelope from previous spam campaign.

cbl.abuseat.org classifies these as cutwail spambots.

Received: from 46-120-160-215.static.012.net.il [46.120.160.215]
X-Envelope-From: service @nacha.org
From: "WhatsApp Messenger" <ctaylor @magma.net>
Subject: Missed voice message, "3:26"PM

Received: from 253.192/26.17.108.199.in-addr.arpa [199.108.17.253]
X-Envelope-From: status-update @nacha.org
From: "WhatsApp Messenger" <ctaylor @magma.net>
Subject: Missed voice message, "3:28"PM

Received: from 23-31-59-142-static.hfc.comcastbusiness.net [23.31.59.142]
X-Envelope-From: no-reply @nacha.org
Subject: Missed voice message, "6:42"PM
From: "WhatsApp Messenger" <ctaylor @magma.net>

Received: from [186.114.32.39]
X-Envelope-From: service @nacha.org
From: "WhatsApp Messenger" <ctaylor @magma.net>
Subject: Missed voice message, "3:32"PM

Attachment Samples:

Missed-message.zip containing Missed-message.exe

VirusTotal report 

Commtouch 			W32/Trojan.GGLJ-3673 	
ESET-NOD32 a variant of Win32/Kryptik.BSXR
F-Prot W32/Trojan3.HDX
McAfee Artemis!7B6B62F144C0
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.J!81
Microsoft TrojanDownloader:Win32/Upatre.A
Sophos Mal/EncPk-ZC
TrendMicro PAK_Generic.001

Malwr.com report  

Starts servers listening on 0.0.0.0:0, 0.0.0.0:5350, 0.0.0.0:8060
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via tcp:
findforensicnursing.com 141.101.116.205
jojik-international.com 200.74.243.148

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
151.76.106.227 ITALY
27.54.110.77 JAPAN

These addresses were sent udp but never answered back
110.45.74.60 KOREA, REPUBLIC OF
89.142.241.143 SLOVENIA

File-Analyzer.net report

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\budha.exe
Reads the hosts file, Enables driver privileges
Checks for kernel debuggers
Contacts:
jojik-international.com 200.74.243.148 Panama
findforensicnursing.com 141.101.117.205 European Union

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity