PRECAUCION: Correo malicioso – Borrar

Estimados colegas,

Se nos ha hecho saber que se está distribuyendo en el medio del correo electrónico un mensaje titulado “Descubren videos sexuales de Gringasha”, aparentemente remitido por cholotube.com.

El mensaje en sí no contiene un virus pero los enlaces llevan a un servidor vulnerado de una página de Mónaco, y éste sí contiene malware que toma el control de la PC que se infecte (bot).

El malware es reconocido como Backdoor/Win32.Ruskill, Backdoor/W32.Agent.204800.CP, Trojan/Dorkbot.b y lo preocupante es que sólo es detectado por 4 de los 30 antivirus de virustotal.com. El siguiente es un fragmento del reporte:

SandBox results for Videa_XXX.exe
Analysis ID: 25757
Date Analyzed: 2013-01-16 10:42:45
Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6
MD5 Hash: 65b466314e4160305e5337b5b07bd49f
Filename: Videa_XXX.exe
File Type: PE32 executable for MS Windows (GUI) Intel 80386 3
Digital Behavior Traits
Injected Code YES
More than 5 Processes YES
Copies to Windows NO
Windows/Run Registry Key Set YES
Makes Network Connection YES
Creates EXE in System NO
Starts EXE in System YES
Starts EXE in Documents NO
Deletes File in System NO
Hooks Keyboard NO
Creates Hidden File YES
Creates DLL in System NO
Creates Mutex YES
Alters Windows Firewall NO
Checks For Debugger YES
Could Not Load NO
Opens Physical Memory NO
Modifies Local DNS NO
Starts EXE in Recycle NO
Creates Service NO
Modifies File in System YES
Deletes Original Sample YES
VirusTotal Results
Last Scanned: 2013-01-16 15:31:30
MicroWorld-eScan Not Detected
nProtect Backdoor/W32.Agent.204800.CP
CAT-QuickHeal Not Detected
McAfee Not Detected
Malwarebytes Not Detected
K7AntiVirus Not Detected
TheHacker Trojan/Dorkbot.b
Agnitum Not Detected
F-Prot Not Detected
Symantec Not Detected
Norman Not Detected
TotalDefense Not Detected
TrendMicro-HouseCall Not Detected
Avast Not Detected
eSafe Not Detected
ClamAV Not Detected
Kaspersky Not Detected
BitDefender Not Detected
NANO-Antivirus Not Detected
SUPERAntiSpyware Not Detected
Emsisoft Not Detected
Comodo Not Detected
F-Secure Not Detected
DrWeb Not Detected
VIPRE Not Detected
AntiVir Not Detected
TrendMicro Not Detected
McAfee-GW-Edition Not Detected
Sophos Not Detected
Jiangmin Not Detected
Antiy-AVL Not Detected
Kingsoft Win32.Hack.Ruskill.h.(kcloud)
Microsoft Not Detected
ViRobot Not Detected
AhnLab-V3 Backdoor/Win32.Ruskill
GData Not Detected
Commtouch Not Detected
ByteHero Not Detected
VBA32 Not Detected
PCTools Not Detected
ESET-NOD32 Not Detected
Rising Not Detected
Ikarus Not Detected
Fortinet Not Detected
AVG Not Detected
Panda Not Detected

Revisamos el artefacto en un sandbox y efectivamente se trata de malware que se oculta, borra su copia, se ejecuta al arrancar el sistema operativo y abre varias conexiones hacia Internet.

Francisco

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s