Celebrity Malicious Spam Analysis and Removal
September 8, 2008 by Shanmuga
Filed under Featured, spyware removal
Recently my inbox was filled with spam containing subject lines "Re: Offical Update 2008" and number of catchy celebrity themed storm worm lines… I opened one of the spam mail with the paris hilton subject line and clicked on the single link which promised to let me view a previously unseen video of the celebrity.
The link took me to a hacked web page with a bogus looking flash player and sure enough there was a funny looking message informing me to download a missing video codec (video8.exe) to view the celebrity video.
The file video8.exe proved to be a trojan downloader with just over 33% detection rate at VirusTotal. Once it finds a foothold on your PC it proceeds to download a variety of nasty malware some of them have the potential to seriously damage your PC.
It downloads and installs cbevtsvc.exe which made connections with 72.9.98.234 and 85.255.118.117. The cbevtsvc.exe process then launches 614568581.exe, all behind your back. Once it’s installed the fake alerts start.
The trojan downloader then phones home to 72.9.98.234 which resolves to antispyspider.net and then on to a hacked page at excellentloads.com to download a setup.exe file (74.5 KB), a fake antimalware downloader. A connection was then made to 79.135.167.18 to download an install.exe file (109 KB), a backdoor belonging to the Rustock family, a 4scan.exe file (41.5 KB) and a sysftp.exe (34.0KB) probably trojan downloaders of fake antimalware software.
It was observed connections were made to few fake antimalware distributing sites like antispyware-quick-scan.com, xpsecuritycenter.com, virus-quick-scan.com etc.,
Associted Files
C:\WINDOWS\karina.dat
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\getsn32.dll
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\buritos.exe
C:\WINDOWS\system32\winivstr.exe
C:\Documents and Settings\LocalService\Application Data\614568581.exe
Associated Registry Keys
HKEY_CLASSES_ROOT\getsn32.msiesn
HKEY_CLASSES_ROOT\TypeLib\{36aa7cbc-69dc-4277-a670-898728756789}
HKEY_CLASSES_ROOT\Interface\{1abd6dac-9e20-4e9e-a13f-8879e08c30bc}
HKEY_CLASSES_ROOT\CLSID\{a55ca42c-bf8a-4491-9073-6e32fc4e6250}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#DeviceDesc
Associated Registry Values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
Removal
This malware seems to disable one of my freeware favorites, SuperAntiSpyware. I used Malwarebytes’ Anti-Malware free edition to do the job. Once it has run its routine SuperAntiSpyware was able to start and run as usual. I also cleared the old system restore points and ran CCleaner to clean out the temporary files.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Comments
Everyone has an Opinion...why don't you share yours and oh, if you want a pic to show with your comment, go get a gravatar! or you can even subscribe to our comments feed.