Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


Generic virus spam email claims that your support department was rude to them regarding their support ticket request.

Attached .doc contains malware.



Subject: Re: [recipient domain name] sucks

Subject: Re: sucks

 The language of your support department is unacceptable.
Please check the reply I received to my support ticket.

support_ticket.doc (354)

  It's funny because it is true.


Header Examples:

7 December 2015 

Spoofs in From headers, Envelope From headers (MAIL FROM connection string), and HELO connection string. I only have one of these so far, so the spoofing plan may be different.

Received: from []
X-Envelope-From: emitchell
From: "" <>
Subject: Re: [recipient domain] sucks



7 December 2015

Attachment : malicious .doc with macro : support_ticket.doc

VirusTotal report | report | report 

This .doc doesn't DOWNLOAD malware, it contains it already in an OLE object called :


Extracted executable : _ ( Pony password stealing data-thief malware )

Yes, the executable was named _ as in underscore.

VirusTotal report | report | report

Also :

Sends stolen data to :

Downloads more malware from :


Downloaded executable : palnt.exe ( Nymaim general-purpose botnet malware )

The Nymaim name was associated with ransomware previously, but so far the recent series seems to just use it as a persistence and mechanism making it more of a general-purpose botnet. Subsequent payloads may be sent.

VirusTotal report | report | report

Also :

The icon looks like an OpenOffice document, and executable has some junk resources.

Picture of icon and resources of the nymaim malware.

A series of posts with large responses to places like :

Which resolves to :

Later on in the same day, the domain resolved to :

This http traffic triggered :

ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

... which tells me that no good Nymaim signatures exist yet for this malware.

No starups are created until at least the first POST is successful and receives back a payload. Then, more and more payloads are downloaded and given startup entries, one at a time.

Picture of Nymaim malware startups.


Dropped executable : strain-7.exe

Autorun key called strain-1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to c:\programdata\strain-53\strain-7.exe

VirusTotal report | report | report 

Picture of strain-7 malware drop.

Some DGA action :


Dropped executable : vctxo-32.exe

Autorun HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell pointing to c:\programdata\vctxo-1\vctxo-32.exe

VirusTotal report | report | report 

Picture of vctxo malware drop.

Same DGA action :


Dropped executable : serdes-49.exe

Autorun key called serdes-5 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pointing to c:\users\user\appdata\roaming\serdes-0\serdes-49.exe

VirusTotal report | report | report 

Picture of serdes49 malware drop.

Same DGA action :


Dropped executable : gigabit-94.exe

Autorun link or short-cut called gigabit-08.lnk in the user's statup menu pointing to c:\users\user\appdata\roaming\gigabit-6\gigabit-94.exe

VirusTotal report | report | report 

Picture of gigabit-94 malware drop.

Same DGA action :