Traffic accident with your car - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A scam malware email claims that you hurt their car on the road during a traffic accident, that photos are attached, and threatens legal action!

Attached zip file contains a .scr file executable virus or trojan horse.


Subject:  Traffic accident with your car 

Good morning!

You hurt my car on the road. Look at these photos in the attached archive and contact me as soon as possible.
Otherwise you'll get legal action.

+1 750 972-43-15

IMG_0612.zip (736)

Header Examples:

Spoofs (or just uses) some random junk in From and Envelope headers, but at least they are consistent in the email.

Received: from ip-212-69-6-51.neobee.net [212.69.6.51])
X-Envelope-From: aimlessnesska33 @rmpinvest.com
From: "Amanda Gillespie" <aimlessnesska33 @rmpinvest.com>
Subject: Traffic accident with your car

Received: from MKSUKIN [218.189.129.220]
X-Envelope-From: prettiedme679 @renaissance4u.com
From: "Prince Prater" <prettiedme67 This email address is being protected from spambots. You need JavaScript enabled to view it. >
Subject: Traffic accident with your car

Attachment Samples:

IMG_0612.zip containing IMG_0612.scr which is a win32 portable executable.

VirusTotal report 

Rising 		PE:Malware.XPACK-HIE/Heur!1.9C48 

Malwr.com report 

Starts servers listening on 0.0.0.0:4738, 0.0.0.0:3037
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Installs itself for autorun at Windows startup

Contacts: aulbbiwslxpvvphxnjij.biz <-- DGA?

File-Analyzer.net report

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates or modifies windows services
Modifies existing windows services
Drops:
C:\WINDOWS\system32\drivers\274c8.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\Xiuwm\uhlow.exe
Binary may include packed or encrypted data
Queries the volume information (name, serial number etc) of a device

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity