The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – New email virus making the rounds

Handler’s Diary January 11th
2006

New email virus
making the rounds
(NEW)

Published: 2006-01-11,
Last Updated: 2006-01-11
22:28:25 UTC by Daniel Wesemann (Version: 1)
We are currently analyzing a copy of .. something.
Attachment name “message.zip”, detection by AV is still thin to nonexistent.
When run, the code tries to pull additional files from web servers in Russia, so
if you have a chance, you might consider blocking the following TLDs on your
proxy / perimeter:1gb.ru / t35.com / hzs.nm.ru / users.cjb.net /
h16.ru

UPDATE
2200UTC: message.zip contains
a file named “Secure E-mail File.hta”, which is according to
current Virustotal output only detected by Panda and Kaspersky, the latter calls
it Worm.Win32.Feebs.k . Samples we’ve seen come in an email with subject “Secure
Message from HotMail.com user”. The HTA file is nicely obfuscated, it has 2
obfuscation functions, one being easy unescape, while the other one is a bit
more complex. Once it is executed by a user, it will run in the local zone, so
it can use various ActiveXObjects. It will try to download executables from 5
web sites (domains listed above), all of which are up and working at this
moment.

MD5 sums for the original exploit file and the two variants of
EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c
Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c
feebs1.exe

983bf330aae51535c7382dc82429364b
feebs2.exe

Analysis and write-up by fellow handler Bojan
Zdrnja. Thanks! 🙂

SANS – Internet Storm
Center – Cooperative Cyber Threat Monitor And Alert System
.

Advertisements

January 14, 2006 - Posted by | Antivirus News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: