Tag Archive for 'druzg.ru'

Emold: Statement.zip

Seit heute Nachmittag kurz nach 13:00 Uhr verbreitet sich Emold (aka AutoRun) über eine neue Spam-Welle:

Betreff: Your credit card account statement
Dear Valued Customer:
ID: robert

As requested, we are sending you this account statement with information on the transactions carried out with your credit card between 1/1/2008 and 8/1/2008.

Please find the account statement with the detailed list of the transactions attached to this message. You can view the document or print it out by simply saving the attached file to disk and opening it for viewing.

Please let us know if we can be of any further assistance.

At your service,
Irvin Knight
Manager of Visa / MasterCard
Credit Card Services

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

If you believe this message was sent to you by mistake, please forward the identification number stated on the enclosed document to our customer service department.

Im E-Mail Text variiert nur der Name des Absenders, der Rest ist immer der selbe. Im Attachement Statement.zip befindet sich die Ausführbare Datei Statement.doc_____.exe:

Filename: Statement.doc____.exe
File size: 30208 bytes
MD5…: 250eb64716c7c62464c01a94366c637d
SHA1..: ffb11cd021da7c1f50131887bee1947f68e954a0
Erkennungsrate: 18/36 (50%)

Der Trojaner Kontaktiert die Domain druzg.ru (125.65.113.112):

GET http://druzg.ru/ld.php

Danach lädt er den Spam-Mailer PushDo von mncpssa.org (202.191.62.252) nach:

GET http://mncpssa.org/js/lo12er.exe

Filename: lo12er.exe
File size: 22528 bytes
MD5…: 204336ee0680808e19aa7c351f4d2629
SHA1..: 968741a1e9afd1c3e8f8456ce3941fe6fc79ce0a
Erkennungsrate: 5/36 (13.89%)

Der Spam-Mailer scheint nach der Infektion gleich mehrere IP-Adressen zu kontaktieren, um an sein Konfigurationsfile zu kommen:

  • 208.66.195.15
  • 208.66.195.71
  • 208.66.194.232
  • 91.203.92.7



  • economics-recluse
    Scene
    Urgent!