Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

New Email Exploit “Scan upon download” 03.08.10

leave a comment »

The email reads:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

After being clicked on and run, the following files are created:

%AppData%\av.exe


%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

You’ve just been p0wned. Of course the hook here is the social bits. First off, the admonishment of the subject line:

“scan upon download”

Nice touch really.. As not many vendors can see this yet, I am sure this will work pretty well for the mass clickers out there.

My virus scanner said it was ok! CLICK CLICK CLICK!

Second, the whole contract angle. Now, if you are not a sir, and you know nothing of any contracts you might be recieving, why would you click on this? Mostly I think it is because people are generally curious and want to know things that they “shouldn’t” have access to. So they will click on the zip or the “contract” to get the dirt.

Human nature…

The trojan that has just been installed  is named Suspicious:W32/Malware!Gemini by F-Secure or Mal/TibsPk-D by Sophos and is able to create malicious executable files on the infected system for you the end user to handily execute later on! YAY!

So far this was seen in the wild today at 1220 EST and only has been picked up by a scant few virus scanners. I expect there to be many more self p0wnings in the next few hours.

Here’s the hint people… If you don’t have business dealings with contracts DONT CLICK and for heavens sake DO NOT CLICK ON AN EXE!

Duh.

Written by Krypt3ia

2010/03/09 at 19:16

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: