Skip navigation.
Home

New Classmates.com Malware Campaign

While reading through my spam folder, I found a new sample. There is a new malware sample being spread posing as a Classmates.com reunion message. The sample I have is MD5 895377d01833dfd01dfccb523b2d3026. I haven't done anything to analyze this file yet.

UPDATE: Here's a new copy of the executable 393473bd4a1da563ec086cff7d9c50f6

Here's the original email from my spam folder:

Received: from [78.2.19.242] by hoemail1.alcatel.com; Tue, 13 Jan 2009 18:09:56 +0100
From: "Committee members" <alumni@classmates.com>
To: <DANNY'S EMAIL ADDRESS>

Subject: Invitation to preview new Reunion Classmates.
Date: Tue, 13 Jan 2009 18:09:56 +0100
Message-ID: <01c975aa$23a9f200$f213024e@ytaewgjhxuob>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Importance: Normal

We are pleased to announce our Class Reunion on January 25, 2009. 
Please join us for a night of Glamour and Elegance as we celebrate our 2009 Year 
Class Reunion. 
We don't want to let another year go by without the opportunity for all of us to get 
together, reminisce about old times and learn about what our old friends have been 
up to. 


Proceed to view Your inbox video messages - 1 message:

http://classmates.profile.OnlineServlet.user-2nnbxg4w0.scaneradobeflash.com
/login_video737.htm?/logon/LOGIN=7lcy7xax88cyhg8

this file just crashes at

this file just crashes at start of code. incorrect coding.

inside is

inside is URL
http://goodboomer.com/successful.exe

i submit it here

39eda11bdef90b48a296684701324664

so finally "successful.exe"

so finally "successful.exe" is loader of malware with embeded rootkit-driver, mostly named as PAPRAS

http://www.virustotal.com/analisis/434cd45dff2cc1f9237d5beec639dfb7

uploaded:
00e6df838caed5dc92ea0b10c035529f

NX Domain?

Did they get their domain revoked or something? I can't seem to connect, getting NX domain. Also Whois.net is telling me that it's available for purchase.... Any ideas?

Downloader

This file is simple downloader. It runs svchost.exe and injects code in it's process. This code kills original downloader's file, then downloads URL http://goodboomer.com/successful.exe and runs downloaded file.

Yep. Nothing too complex.

Yep. Nothing too complex. Just another script a kid wrote.
---------------------
Norton AntiVirus 2009