Home / mailings WSLabs, Malicious Website / Malicious Code: Information Stealing Code being spammed in Latin America
Posted on 17 October 2007
Websense Security LabWebsense® Security Labs(TM) has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line:
"Espero que te guste"
The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75c38". In all samples, the file has been stored on compromised websites.
If users click on the link and run the code, a browser window to Univision.com opens as a means of hiding what is happening in the background. The malicious code also connects to one or more additional websites to download an additional binary file, "file56.gif". This file is actually a Windows executable.
The "file56.gif" binary can come from any of five different compromised sites. The file is downloaded to the Windows system32 directory and given the name "html.txt". The "html.txt" file is then renamed "html.exe" and run.
The payload of the code is written in Delphi and packed with RLpack. It disables Task Manager, deletes the host file, and changes some startup options and Start menu options. It also includes an information stealing component.
HTML email screenshot available in full alert.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=809
