Sly Spam Run Targets Hotmail Users

July 31, 2009 by admin
Filed under Security News

Hotmail users need to be wary about a malicious spam run that specifically targets users of the said webmail.

Senior Security Analyst Rik Ferguson reports that spam messages arrive with text indicating that it has file attachments that are image files with the JPEG format. In truth however, the file names of attachments are actually links that connect to shortened URLs, which in turn connect to malicious URLs.

Connecting to the malicious URLs, which are now blocked, leads to the download of the malicious file fotos.com which is now detected as MAL_BANKER. The said file, in turn, downloads a wide variety of information-stealing malware. The malicious URLs and files are all blocked through the Trend Micro Smart Protection Network.

Quite noteworthy is the fact that the links were crafted to, at first glance, look very similar to how file attachments are displayed in most emails. An envelope-shaped icon is even seen at the side of each of the links, which is typical for file attachments.

However, there are also noticeable differences between such spam email and a legitimate email message, which users must watch out for should they receive a suspicious email message.

1 hotmailspam tb Sly Spam Run Targets Hotmail Users

2 hotmailspam tb Sly Spam Run Targets Hotmail Users

Here are a few of the noticeable differences between the spam email and a legitimate one:

The attachment details are indicated not in the message area, but above it, along with the other fields.
The number of attached files are supposed to be stated right under the email address in the To: field.
The size of the attached file is displayed beside the file name.
The attached images are always displayed at the bottom of the message.

Hotmail users are advised not to click on any of the links contained in messages that do not display the abovementioned details.

We Recieved some spam emails as we see in this pic below :

When we click on the links its open a short-url site that redirect to another site that have the trojan files :

when you click on the links inside the spam email

We download the files and uploaded it to virus total :

Files downloaded from spam email

the result of scanning spam email files at virustotal.com :

File fotos.com received on 2009.07.31 14:32:59 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.07.31	Trojan-Downloader.Win32.Banload!IK
AhnLab-V3	5.0.0.2	2009.07.31	Win-Trojan/Agent.202240.AC
AntiVir	7.9.0.236	2009.07.31	TR/Dldr.Delphi.Gen
Antiy-AVL	2.0.3.7	2009.07.31	Trojan/Win32.Agent.gen
Authentium	5.1.2.4	2009.07.31	W32/Heuristic-210!Eldorado
Avast	4.8.1335.0	2009.07.30	Win32:Trojan-gen {Other}
AVG	8.5.0.406	2009.07.31	SHeur2.ASID
BitDefender	7.2	2009.07.31	Gen:Trojan.Heur.miWfrXLyWxoG
CAT-QuickHeal	10.00	2009.07.30	TrojanDownloader.Agent.cjnq
ClamAV	0.94.1	2009.07.31	Trojan.Packed-96
Comodo	1823	2009.07.31	-
DrWeb	5.0.0.12182	2009.07.31	Trojan.DownLoad.41271
eSafe	7.0.17.0	2009.07.30	Suspicious File
eTrust-Vet	31.6.6649	2009.07.31	-
F-Prot	4.4.4.56	2009.07.30	W32/Heuristic-210!Eldorado
F-Secure	8.0.14470.0	2009.07.31	Trojan-Downloader.Win32.Agent.cjnq
Fortinet	3.120.0.0	2009.07.31	PossibleThreat
GData	19	2009.07.31	Gen:Trojan.Heur.miWfrXLyWxoG
Ikarus	T3.1.1.64.0	2009.07.31	Trojan-Downloader.Win32.Banload
Jiangmin	11.0.800	2009.07.31	TrojanDownloader.Agent.bpbl
K7AntiVirus	7.10.806	2009.07.30	Trojan-Downloader.Win32.Agent.cjnq
Kaspersky	7.0.0.125	2009.07.31	Trojan-Downloader.Win32.Agent.cjnq
McAfee	5693	2009.07.30	Generic.dx!bgl
McAfee+Artemis	5693	2009.07.30	Generic.dx!bgl
McAfee-GW-Edition	6.8.5	2009.07.31	Heuristic.LooksLike.Win32.Suspicious.H!90
Microsoft	1.4903	2009.07.31	TrojanDownloader:Win32/Banload.IB
NOD32	4294	2009.07.31	-
Norman	6.01.09	2009.07.31	W32/Obfuscated.B!genr
nProtect	2009.1.8.0	2009.07.31	-
Panda	10.0.0.14	2009.07.31	Trj/Nabload.ACN
PCTools	4.4.2.0	2009.07.31	-
Prevx	3.0	2009.07.31	Medium Risk Malware Downloader
Rising	21.40.44.00	2009.07.31	Trojan.DL.Win32.Delf.zxt
Sophos	4.44.0	2009.07.31	Mal/Generic-A
Sunbelt	3.2.1858.2	2009.07.31	-
Symantec	1.4.4.12	2009.07.31	Downloader
TheHacker	6.3.4.3.374	2009.07.30	-
TrendMicro	8.950.0.1094	2009.07.31	Mal_Banker
VBA32	3.12.10.9	2009.07.31	Trojan-Downloader.Win32.Agent.ciyt
ViRobot	2009.7.31.1863	2009.07.31	-
VirusBuster	4.6.5.0	2009.07.31	Trojan.DL.Agent.NISV

Additional information
File size: 202240 bytes
MD5…: a7a42e8bacf2d23aa80388d055d2541d
SHA1..: 17a638bb9cb8c529bdcde1e1e91486a28408dc51
SHA256: a913e1d8b1a8cd159d704c92ca1b3bdd069f1be8da06cc7482fa94a6fcede174
ssdeep: 6144:CI0nkVvlt7IvV7ZqOWnCndDsViOlfirHUM/tJx7:CI5Vvls7PndFGSHUMF
PEiD..: PECompact 2.xx –> BitSum Technologies
TrID..: File type identification Win32 EXE PECompact compressed (v2.x) (48.0%) Win32 EXE PECompact compressed (generic) (33.8%) Win32 Executable Generic (6.9%) Win32 Dynamic Link Library (generic) (6.1%) Win16/32 Executable Delphi generic (1.6%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×1000 timedatestamp…..: 0×2a425e19 (Fri Jun 19 22:22:17 1992) machinetype…….: 0×14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0×1000 0×73000 0×29400 7.79 9f38f2fc6ba36bbe3f69a7b2c923bc7f .rsrc 0×74000 0×8000 0×7e00 6.06 289cbe6b503787ce9749cc5dee4d0e21 ( 8 imports ) > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree > user32.dll: GetKeyboardType > advapi32.dll: RegQueryValueExA > oleaut32.dll: SysFreeString > version.dll: VerQueryValueA > gdi32.dll: UnrealizeObject > comctl32.dll: ImageList_SetIconSize > URLMON.DLL: URLDownloadToFileA ( 0 exports )
PDFiD.: -
RDS…: NSRL Reference Data Set -
packers (Antiy-AVL): PECompact 2.x
packers (F-Prot): PecBundle, PECompact
packers (Authentium): PecBundle, PECompact, PecBundle
Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=FD359C550097353116A1038BCCEC1400D7790B1D’ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=FD359C550097353116A1038BCCEC1400D7790B1D</a>