Another one, again posing to be from a delivery company.
I got an e-mail, with a zip attachement (DHL_Express_Shipment_POST_ORDER_ID92VMUANA.zip, md5 hash: b8d96b95875bc31d9f5448e5d06837cc ). When decompressed, an executable is present (DHL_Express_Shipment_POST_ORDER_ID.exe, md5 hash: cc6e8193c7475ef34f79ab82ec6f90fc)
As of 02/14/2012, only 3 out of 43 AVs correctly detect the file as infected (VirusTotal report). Once decompressed, that number falls to 2/43 (VirusTotal report).
Funnily, my first attempt to run the executable into my 2008 virtual machine (64 bits) failed - DEP intercepted it and prevented the execution.
As for the previous two strains, this one first makes a request to Google.com (GET / HTTP/1.1). It then resolves yerurr.com and does a POST /was/tnk.php with a very long body. In my case, the activity stopped there.
No comments:
Post a Comment