Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Celebrity Malicious Spam Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Recently my inbox was filled with spam containing subject lines "Re: Offical Update 2008" and number of catchy celebrity themed storm worm lines… I opened one of the spam mail with the paris hilton subject line and clicked on the single link which promised to let me view a previously unseen video of the celebrity.

my thunderbird inbox Celebrity Malicious Spam Analysis and Removal

The link took me to a hacked web page with a bogus looking flash player and sure enough there was a funny looking message informing me to download a missing video codec (video8.exe) to view the celebrity video.

malicious spam2 Celebrity Malicious Spam Analysis and Removal

The file video8.exe proved to be a trojan downloader with just over 33% detection rate at VirusTotal. Once it finds a foothold on your PC it proceeds to download a variety of nasty malware some of them have the potential to seriously damage your PC.

It downloads and installs cbevtsvc.exe which made connections with 72.9.98.234 and 85.255.118.117. The cbevtsvc.exe process then launches 614568581.exe, all behind your back. Once it’s installed the fake alerts start.

9 5 2008 12 08 06 pm Celebrity Malicious Spam Analysis and Removal

The trojan downloader then phones home to 72.9.98.234 which resolves to antispyspider.net and then on to a hacked page at excellentloads.com to download a setup.exe file (74.5 KB), a fake antimalware downloader. A connection was then made to 79.135.167.18 to download an install.exe file (109 KB), a backdoor belonging to the Rustock family, a 4scan.exe file (41.5 KB) and a sysftp.exe (34.0KB) probably trojan downloaders of fake antimalware software.

It was observed connections were made to few fake antimalware distributing sites like antispyware-quick-scan.com, xpsecuritycenter.com, virus-quick-scan.com etc.,

Associted Files

C:\WINDOWS\karina.dat
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\getsn32.dll
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\buritos.exe
C:\WINDOWS\system32\winivstr.exe
C:\Documents and Settings\LocalService\Application Data\614568581.exe

Associated Registry Keys

HKEY_CLASSES_ROOT\getsn32.msiesn
HKEY_CLASSES_ROOT\TypeLib\{36aa7cbc-69dc-4277-a670-898728756789}
HKEY_CLASSES_ROOT\Interface\{1abd6dac-9e20-4e9e-a13f-8879e08c30bc}
HKEY_CLASSES_ROOT\CLSID\{a55ca42c-bf8a-4491-9073-6e32fc4e6250}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#DeviceDesc

Associated Registry Values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax

Removal

This malware seems to disable one of my freeware favorites, SuperAntiSpyware. I used Malwarebytes’ Anti-Malware free edition to do the job. Once it has run its routine SuperAntiSpyware was able to start and run as usual. I also cleared the old system restore points and ran CCleaner to clean out the temporary files.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: