A new wave of e-card malspam is going out. The e-mail arrives spoofed as 123greetings.com and installs XP Antivirus 2009 once on the computer.
E-mail Body:
Good day.
You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):hxxp://ospetroglifos.com/e-card.exe
Your card will be available for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!
File Details:
File Name: e-card.exe
MD5: 51c2c1e82bc8c89dd831494689341147
SHA-1: 4e8e072659d6762dd41fc66b4f8c606e46d4b013
File Size: 44544 Bytes
Registry Values Modified:
Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key name: braviax
Value: C:\WINDOWS\system32\braviax.exe
Location: HKLM\System\CurrentControlSet\Control\Session Manager
Key name: Pending FileRenameOperations
Value: 0×5c003f003f005c0043003a005c00570049004e0044004f00570053005c00
File Modifications:
Creates:
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\drivers\beep.sys (26k) <– this file prevents most anti-malware products from working correctly.
C:\exec\delself.bat
ariw.pif
beep.sys
brastk.exe
braviax.exe
dodyjuku.pif
dysigajy._sy
e-card.exe
hynury.vbs
karna.dat
osyji.exe
unofa.sys
wini10581.exe
xyqa.vbs
Modifies:
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\exec\delself.bat
PIPE\SfcApi
Connects to:
hxxp://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1
1 200 HTTP www.xp-antispyware2009.com/binary/Binaries1.cab
2 200 HTTP www.xp-antispyware2009.com/binary/Binaries2.cab
3 200 HTTP www.xp-antispyware2009.com/binary/Binaries3.cab
4 200 HTTP do-monster-scan.com/update_inst.php?wmid=1058&subid={ID}&pid=33&lid=2&hs={ID}
Downloads to:
%System%\wini10581.exe (8A5B2A376AFD54E9B04599A4BC43AA07)
Installer:
Removal:
Remove this threat with MalwareBytes!
Thanks to hevnsnt for the information!
2 Responses to “e-card.exe threat (Braviax + XP AntiSpyware 2009)”
Leave a Reply
You must login to post a comment.