First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...
The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).
But when I clicked on it, surprise... The real URL is:
http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.
But this will in fact redirect the user to:
http://87.255.77. 35/fw2.pl
Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).
Under IE9, here is what happens:
If I click on Yes, it goes:
Then...
Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:
IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:
KAV 2011 does not detect the sample. Neither does MalwareByte.
VirusTotal's results are quite clear! only 2 engines out of 41...!
| Result |
| AhnLab-V3 | 2011.12.06.01 | 2011.12.06 | - |
| AntiVir | 7.11.19.2 | 2011.12.06 | - |
| Antiy-AVL | 2.0.3.7 | 2011.12.06 | - |
| Avast | 6.0.1289.0 | 2011.12.06 | - |
| AVG | 10.0.0.1190 | 2011.12.06 | - |
| BitDefender | 7.2 | 2011.12.06 | - |
| ByteHero | 1.0.0.1 | 2011.11.29 | - |
| CAT-QuickHeal | 12.00 | 2011.12.06 | - |
| ClamAV | 0.97.3.0 | 2011.12.06 | - |
| Commtouch | 5.3.2.6 | 2011.12.06 | - |
| Comodo | 10859 | 2011.12.06 | - |
| DrWeb | 5.0.2.03300 | 2011.12.06 | - |
| Emsisoft | 5.1.0.11 | 2011.12.06 | - |
| eSafe | 7.0.17.0 | 2011.12.06 | - |
| eTrust-Vet | 37.0.9607 | 2011.12.06 | - |
| F-Prot | 4.6.5.141 | 2011.11.29 | - |
| F-Secure | 9.0.16440.0 | 2011.12.06 | - |
| Fortinet | 4.3.388.0 | 2011.12.06 | W32/Kryptik.TAF!tr |
| GData | 22 | 2011.12.06 | - |
| Ikarus | T3.1.1.109.0 | 2011.12.06 | - |
| Jiangmin | 13.0.900 | 2011.12.06 | - |
| K7AntiVirus | 9.119.5608 | 2011.12.06 | - |
| Kaspersky | 9.0.0.837 | 2011.12.06 | - |
| McAfee | 5.400.0.1158 | 2011.12.06 | - |
| McAfee-GW-Edition | 2010.1D | 2011.12.06 | - |
| Microsoft | 1.7903 | 2011.12.06 | - |
| NOD32 | 6681 | 2011.12.04 | - |
| Norman | 6.07.13 | 2011.12.06 | W32/Kazy.NA |
| nProtect | 2011-12-06.01 | 2011.12.06 | - |
| Panda | 10.0.3.5 | 2011.12.06 | - |
| PCTools | 8.0.0.5 | 2011.12.06 | - |
| Prevx | 3.0 | 2011.12.06 | - |
| Rising | 23.87.01.02 | 2011.12.06 | - |
| Sophos | 4.71.0 | 2011.12.06 | - |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.12.06 | - |
| Symantec | 20111.2.0.82 | 2011.12.06 | - |
| TheHacker | 6.7.0.1.352 | 2011.12.01 | - |
| TrendMicro | 9.500.0.1008 | 2011.12.06 | - |
| TrendMicro-HouseCall | 9.500.0.1008 | 2011.12.06 | - |
| VBA32 | 3.12.16.4 | 2011.12.06 | - |
| VIPRE | 11212 | 2011.12.06 | - |
| ViRobot | 2011.12.6.4811 | 2011.12.06 | - |
| VirusBuster | 14.1.102.0 | 2011.12.06 | - |
| MD5: c7fa7ebcb697b26ac684f8b18a0f30b4 |
| SHA1: 98561e513580021bbd2f715e54a53e96558a8a1f |
| SHA256: bc9264cd51df7815a96c0753cbacbde9f2f491a191b78a06782854abb93171f4 |
| File size: 129536 bytes |
| Scan date: 2011-12-06 21:48:09 (UTC) |
About the file:
I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.
Update 1:
Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.
This is also what ThreatExpert tels about the file execution history:
http://www.threatexpert.com/report.aspx?md5=c7fa7ebcb697b26ac684f8b18a0f30b4
Buggy malware?
