Thanks for the malware

I checked inbox today and found an interesting email:

From: bwukft
Subject: 中国房市崩盘即将到来

The message was received from:

Received: from lenovo-2395031b (unknown [])
inetnum: –
netname: UNICOM-HL
country: CN

The attachment was a .rar:

VT: 2/41 (4.88%)
MD5: 62d8715bb97a561b2ca11808e549128a

It contained a .scr:

VT: 3/41 (7.32%)
MD5: ce919337d48d89deeee8867b2a0deb62

This dropped an executable:

VT: 2/39 (5.13%)
MD5: 6c327eff51ed352dcd80c55d6b8f7a81
Anubis Analysis Report.

Connections were made to on ( port 8080.
inetnum: –
netname: UNICOM-HL
descr: China Unicom Heilongjiang Province Network
descr: China Unicom
country: CN

If you leave it running for a while it starts to send back the list of files contained within directories such as:

C:\Documents and Settings\
C:\Documents and Settings\*\
C:\Documents and Settings\*\Favorites\
C:\Documents and Settings\*\Documents\
C:\Documents and Settings\*\Cookies

If cookies are present, they get sent to the C&C.

Connections to ( port 80 show that it is a Windows box running AppServ Open Project – 2.5.9.

The PHP config page contains:

Server Administrator

That’s all the time I have right now, but thanks for the malware.

Post a comment.