Blog for hpHosts, and whatever else I feel like writing about ....

Monday 2 February 2009

r00t-y0u.org - Someone's still holding a grudge

... either that or they really really dislike your members. Fret not however, the idiot(s) doing this are obviously amateurs (or of course, are of the impression that your members will open anything sent to them) as we've thus far seen the e-mail pointing to a link, then of course, coming with an attachment. This time, they've opted for a mixture of the two - a linky (caressedebeaute.org, hosted by Netfirms) pointing directly to the malicious file.

Exported by: Outlook Export v0.1.5


From: josh brown
E-mail:joshbrown@gmail.com [ 209.85.171.83 - cg-in-f83.google.com ]
Date: 02/02/2009 07:59:23
Subject: funny one
**************************************************************************
Links
**************************************************************************

Link: hxxp://caressedebeaute.org/pic545.zip
Domain: caressedebeaute.org
IP: 38.113.185.27 [ w-27.netfirms.com ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************

pic545.zip <http://caressedebeaute.org/pic545.zip>



**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>

<P><FONT SIZE=2>pic545.zip <<A HREF="http://caressedebeaute.org/pic545.zip">http://caressedebeaute.org/pic545.zip</A>><BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: joshbrown@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,joshbrown@gmail.com,[REMOVED],RULES_HIT:152:355:
375:379:541:946:962:967:972:973:983:988:989:1183:1189:1208:1224:1260:1261:1312:1313:1314:1345:1431:1516:
1517:1519:1526:1534:1537:1569:1588:1589:1593:1594:1595:1596:1676:1711:1714:1715:1716:1730:1747:1766:1792:
2393:2525:2560:2563:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3280:3869:3876:3877:
3889:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:5007:6114:7679:7974:8501:8599:9025:9388:9413,0,RBL:
209.171.53.172-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm3.intellimaxx.net [209.171.53.172])
by imf02.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.172])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
charset="UTF-8"
MIME-Version: 1.0
Message-ID: <1191441202.43912@gmail.com>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
To: [REMOVED]
From: "josh brown" <joshbrown@gmail.com>


The file the e-mail points to (pic545.zip, MD5: DF06802FD10BABFE742B1783B29FB05F) is infected with the HIDDENEXT/Worm.Gen infection, and when extracted, we see it attempting to masquerade as a .pnt file. Alas not surprisingly, it's got a ton of spaces after the .pnt extension, and finishes with a .scr extention.



A quick peek at the file shows it's a VB6 file (MD5: 64FA0169B4C52DA16EDDA9B762389006).

File properties:
  1. Version: 1.0.0.0
  2. Copyright: silw3r
  3. Comments: Pub STB
  4. Company: eXpert
  5. Internal Name: stiki
  6. Original Name: stiki.exe
  7. Product Name: STB

More interestingly, it contains the following snippet of code;



Notice the chromehtml src? Seems they want to play with Google Chrome exploits too, how nice. 80.32.16.25 resolves to 25.Red-80-32-16.staticIP.rima-tde.net.

References:

Virus Total results for pic545.pnt{MANY_SPACES}.scr
http://www.virustotal.com/analisis/569ec28a9daaf7c49df117d97be3630c

Virus Total results for pic545.zip
http://www.virustotal.com/analisis/b10775c8bdd6fc64ad3d5529e75f5610

No comments: