You've Got Spam

Newsfeed

Nachrichtenbote
Everyone gets malware-tainted spam nowadays. Here's one targeted at the Brazilian online banking crowd.

spamemail.JPG


Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.

Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.

spamemailcode1.JPG


Incidentally, the server also has PHP files used for spamming. One is detected as HackTool:PHP/Spammer.A, and the other is detected as HackTool:PHP/Spammer.B.

Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.

To hide all this activity, the attacker(s) put up this message on the home page.

pageconstruction1.JPG


Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.

Response team post by — Lordian On 08/10/08 At 04:41 AM



Weiterlesen...
 
Zurück
Oben