Tuesday, February 14, 2012

And another strain - DHL Express

Another one, again posing to be from a delivery company.

I got an e-mail, with a zip attachement (DHL_Express_Shipment_POST_ORDER_ID92VMUANA.zip, md5 hash: b8d96b95875bc31d9f5448e5d06837cc  ). When decompressed, an executable is present (DHL_Express_Shipment_POST_ORDER_ID.exe, md5 hash: cc6e8193c7475ef34f79ab82ec6f90fc)

As of 02/14/2012, only 3 out of 43 AVs correctly detect the file as infected (VirusTotal report). Once decompressed, that number falls to 2/43 (VirusTotal report).

Funnily, my first attempt to run the executable into my 2008 virtual machine (64 bits) failed - DEP intercepted it and prevented the execution.

As for the previous two strains, this one first makes a request to Google.com (GET / HTTP/1.1). It then resolves yerurr.com and does a POST /was/tnk.php with a very long body. In my case, the activity stopped there.