New email virus making the rounds
We are currently analyzing a copy of .. something. Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:
1gb.ru / t35.com / hzs.nm.ru / users.cjb.net / h16.ru
UPDATE 2200UTC: message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.
MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c feebs1.exe
Analysis and write-up by fellow handler Bojan Zdrnja. Thanks! :)
UPDATE2:
Most of the AV vendors are now detecting this as another variant of the Feebs family. Here are links to couple of descriptions:
Symantec (W32.Feebs.[D|E]@mm):
http://www.sarc.com/avcenter/venc/data/w32.feebs.d@mm.html
Trend Micro (JS_FEEBS.M):
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FFEEBS%2EM
F-Secure (Feebs):
http://www.f-secure.com/v-descs/feebs.shtml
Thanks to Juha-Matti and Danny Goodman for sending information about this!
1gb.ru / t35.com / hzs.nm.ru / users.cjb.net / h16.ru
UPDATE 2200UTC: message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.
MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c feebs1.exe
983bf330aae51535c7382dc8242936 4b feebs2.exe
Analysis and write-up by fellow handler Bojan Zdrnja. Thanks! :)
UPDATE2:
Most of the AV vendors are now detecting this as another variant of the Feebs family. Here are links to couple of descriptions:
Symantec (W32.Feebs.[D|E]@mm):
http://www.sarc.com/avcenter/venc/data/w32.feebs.d@mm.html
Trend Micro (JS_FEEBS.M):
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FFEEBS%2EM
F-Secure (Feebs):
http://www.f-secure.com/v-descs/feebs.shtml
Thanks to Juha-Matti and Danny Goodman for sending information about this!
Keywords:
0 comment(s)
×
Diary Archives
Comments