Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

A scam malware email claims that you hurt their car on the road during a traffic accident, that photos are attached, and threatens legal action!

Attached zip file contains a .scr file executable virus or trojan horse.


Subject:  Traffic accident with your car 

Good morning!

You hurt my car on the road. Look at these photos in the attached archive and contact me as soon as possible.
Otherwise you'll get legal action.

+1 750 972-43-15

IMG_0612.zip (736)

Header Examples:

Spoofs (or just uses) some random junk in From and Envelope headers, but at least they are consistent in the email.

Received: from ip-212-69-6-51.neobee.net [212.69.6.51])
X-Envelope-From: aimlessnesska33 @rmpinvest.com
From: "Amanda Gillespie" <aimlessnesska33 @rmpinvest.com>
Subject: Traffic accident with your car

Received: from MKSUKIN [218.189.129.220]
X-Envelope-From: prettiedme679 @renaissance4u.com
From: "Prince Prater" <prettiedme67 9@renaissance4u.com>
Subject: Traffic accident with your car

Attachment Samples:

IMG_0612.zip containing IMG_0612.scr which is a win32 portable executable.

VirusTotal report 

Rising 		PE:Malware.XPACK-HIE/Heur!1.9C48 

Malwr.com report 

Starts servers listening on 0.0.0.0:4738, 0.0.0.0:3037
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Installs itself for autorun at Windows startup

Contacts: aulbbiwslxpvvphxnjij.biz <-- DGA?

File-Analyzer.net report

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates or modifies windows services
Modifies existing windows services
Drops:
C:\WINDOWS\system32\drivers\274c8.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\Xiuwm\uhlow.exe
Binary may include packed or encrypted data
Queries the volume information (name, serial number etc) of a device

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?