Wed, Oct 17 2007 15:33
Information Stealing Code being spammed in Latin America
Websense® Security Labs(TM) has discovered a new Trojan Horse being
distributed via spam email in Latin America. The email message is
written in Spanish, and includes the subject line:
"Espero que te guste"
email acts as a lure, attempting to get users to click a link and
download a greeting card. There are several versions of the spam
message, but the main difference is the location where the malicious
code is stored. In all versions discovered to date, the file name is
always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75
c38". In all samples, the file has been stored on compromised websites.
If users click on the link and run the code, a browser window to Univision.com
opens as a means of hiding what is happening in the background. The
malicious code also connects to one or more additional websites to
download an additional binary file, "file56.gif". This file is actually
a Windows executable.
The "file56.gif" binary can come from any
of five different compromised sites. The file is downloaded to the
Windows system32 directory and given the name "html.txt". The
"html.txt" file is then renamed "html.exe" and run.
of the code is written in Delphi and packed with RLpack. It disables
Task Manager, deletes the host file, and changes some startup options
and Start menu options. It also includes an information stealing
HTML email screenshot available in full alert.
Filed under: Alerts