Skip navigation.
Home

cdhamby's blog

More E-card Malware

There have been some changes in the whole "E-card Malware" saga.

First and foremost I've been seeing sites that are bundling an older IE exploit with the malware. It looks to be the JS/Psyme exploit, or some variant thereof. AV detects it pretty easily.

Secondly, the spams themselves have changed a bit. As reported by the Internet Storm center, they are now using a 4th of July theme. Most of the sites are now in the US, which is a change from a few days ago when most of the ones I saw were in Europe.

Fially, ISC is reporting that the malware in question is yet another Storm Worm variant. I've uploaded one I captured this afternoon to OC. the MD5 hash is 41ceb97828f4f14ece4f6973380c4fdd.

Yet another round of E-card Malware

I've been following the entries on the SANS Internet Storm Center about the latest wave of "ecard" malware. Pretty interesting if not original. When I checked my spam traps this morning lo and behold someone was kind enough to leave me a Christmas present!

Read more for the rest of cdhamby's post

Fat-Fingered Worm Writers Strike Again

The Internet Storm Center has a post about a strange variant of the Big Yellow Worm that has been scanning an unusual port:
http://isc.sans.org/diary.html?storyid=2040

The port in question (2968/tcp) is reportedly used by the Netware version of SAV. Specifically, it's the port that rtvscan.nlm listens on. It also happens to be one off from the normal SAV port (2967/tcp). I had a chance to go over some of the captures that this beastie is sending out and it is identical to a variant that was released just before Christmas. No differences to account for the fact that it's attacking a Netware system.

New Graybird.Trojan variant

Stumbled across a new variant of the Graybird trojan last night. Overall it seems to be pretty standard. It drops a file called prsvr.exe (a copy of itself) in the system32 directory. It also creates a small batch file called DELME.bat that it uses to delete the initial .exe file. It creates multiple startup entries in the registry, almost all of which can be identified by searching for "prsvr.exe" or "Procedure Distribution Service".

On the network side of the house it sends out some DNS lookup requests for 44384.ipread.com, which resolves to 218.28.29.141 (a netblock in China). It then tries to connect to this IP on port 8000, presumably to download the next stage. Alas for this critter this system seems to have been cleaned since all it gets back are RST packets.

Syndicate content