Skip navigation.

New Malware Campaign

While reading through my spam folder, I found a new sample. There is a new malware sample being spread posing as a reunion message. The sample I have is MD5 895377d01833dfd01dfccb523b2d3026. I haven't done anything to analyze this file yet.

UPDATE: Here's a new copy of the executable 393473bd4a1da563ec086cff7d9c50f6

Here's the original email from my spam folder:

Received: from [] by; Tue, 13 Jan 2009 18:09:56 +0100
From: "Committee members" <>

Subject: Invitation to preview new Reunion Classmates.
Date: Tue, 13 Jan 2009 18:09:56 +0100
Message-ID: <01c975aa$23a9f200$f213024e@ytaewgjhxuob>
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Importance: Normal

We are pleased to announce our Class Reunion on January 25, 2009. 
Please join us for a night of Glamour and Elegance as we celebrate our 2009 Year 
Class Reunion. 
We don't want to let another year go by without the opportunity for all of us to get 
together, reminisce about old times and learn about what our old friends have been 
up to. 

Proceed to view Your inbox video messages - 1 message:

this file just crashes at

this file just crashes at start of code. incorrect coding.

inside is

inside is URL

i submit it here


so finally "successful.exe"

so finally "successful.exe" is loader of malware with embeded rootkit-driver, mostly named as PAPRAS


NX Domain?

Did they get their domain revoked or something? I can't seem to connect, getting NX domain. Also is telling me that it's available for purchase.... Any ideas?


This file is simple downloader. It runs svchost.exe and injects code in it's process. This code kills original downloader's file, then downloads URL and runs downloaded file.

Yep. Nothing too complex.

Yep. Nothing too complex. Just another script a kid wrote.
Norton AntiVirus 2009