Newsfeed
Nachrichtenbote
Everyone gets malware-tainted spam nowadays. Here's one targeted at the Brazilian online banking crowd.
Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.
Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.
Incidentally, the server also has PHP files used for spamming. One is detected as HackTool
HP/Spammer.A, and the other is detected as HackToolHP/Spammer.B.
Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.
To hide all this activity, the attacker(s) put up this message on the home page.
Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.
Response team post by — Lordian On 08/10/08 At 04:41 AM
Weiterlesen...
Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.
Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.
Incidentally, the server also has PHP files used for spamming. One is detected as HackTool
HP/Spammer.A, and the other is detected as HackToolHP/Spammer.B.Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.
To hide all this activity, the attacker(s) put up this message on the home page.
Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.
Response team post by — Lordian On 08/10/08 At 04:41 AM
Weiterlesen...