Recently my inbox was filled with spam containing subject lines "Re: Offical Update 2008" and number of catchy celebrity themed storm worm lines… I opened one of the spam mail with the paris hilton subject line and clicked on the single link which promised to let me view a previously unseen video of the celebrity.
The link took me to a hacked web page with a bogus looking flash player and sure enough there was a funny looking message informing me to download a missing video codec (video8.exe) to view the celebrity video.
The file video8.exe proved to be a trojan downloader with just over 33% detection rate at VirusTotal. Once it finds a foothold on your PC it proceeds to download a variety of nasty malware some of them have the potential to seriously damage your PC.
It downloads and installs cbevtsvc.exe which made connections with 184.108.40.206 and 220.127.116.11. The cbevtsvc.exe process then launches 614568581.exe, all behind your back. Once it’s installed the fake alerts start.
The trojan downloader then phones home to 18.104.22.168 which resolves to antispyspider.net and then on to a hacked page at excellentloads.com to download a setup.exe file (74.5 KB), a fake antimalware downloader. A connection was then made to 22.214.171.124 to download an install.exe file (109 KB), a backdoor belonging to the Rustock family, a 4scan.exe file (41.5 KB) and a sysftp.exe (34.0KB) probably trojan downloaders of fake antimalware software.
It was observed connections were made to few fake antimalware distributing sites like antispyware-quick-scan.com, xpsecuritycenter.com, virus-quick-scan.com etc.,
C:\Documents and Settings\LocalService\Application Data\614568581.exe
Associated Registry Keys
Associated Registry Values
This malware seems to disable one of my freeware favorites, SuperAntiSpyware. I used Malwarebytes’ Anti-Malware free edition to do the job. Once it has run its routine SuperAntiSpyware was able to start and run as usual. I also cleared the old system restore points and ran CCleaner to clean out the temporary files.