Is it just me, or does this seem familiar? Of course it does, postcard.ru malware has been going around for yonks!.
I received another e-mail today, and I must admit, it's been a while since I've received one of these, but never the less, the e-mail claimed to come from postcard.ru;
savichev.com (22.214.171.124, PTR: server5.pwstudio.ru) is the first site we see. This loads an iFrame to twain32.cn;
If you are using IE7 then twain32.cn returns the following;
If you are using Opera, you get the following;
twain32.cn resolves to the IP 126.96.36.199, which has a PTR that shows: src.esthost.eu (IP: 188.8.131.52). Alas Whois.eu don't seem to want to allow us to do a remote WhoIs, so we've got to eurid.eu. No problem. When doing a WhoIs lookup on esthost.eu, we see;
Getting back to the infection however. This comes courtesy of yvon-publicidad.com, as you can see in the above source code;
This drops a 1.95K file called mstelnet.exe (FSG packed), which Avira flagged as;
This, according to ThreatExpert, downloads the following;
http://www.yvon-publicidad.com/images/images.php?w=1 (7.12K - HIDDENEXT/Crypted)
http://www.yvon-publicidad.com/images/images.php?w=2 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=3 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=4 (27K - TR/Crypt.Morphine.Gen)
The report makes for very interesting reading as it shows an injection into the IE process (injects mswapi.dll), trojans and keyloggers - oh the fun!.
WhoIs for the domain shows;
A little searching turned up a couple of other possibly related (previous versions?) reports;