Correo fraudulento que pretende venir de LAN

Aporte de phishing enviado por una entusiasta colega, este fin de semana. Sírvanse tomar en cuenta y difundir la noticia.

Aparentemente enviado de: noreply@sonico.com
pishing_claandAl picar el link, se carga un sitio mexicano, lícito, que ha sido vulnerado. Al ejecutar el código PHP, comienza la descarga del archivo Lan.docsx.exe, que es realmente la carga viral.
**********************************************
Index of /wp-includes/Text/Diff/4f005r4ew22e5d5w1fr5r10tfr50b

Parent Directory
Lan.docsx.exe
action.php
contador.txt

Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Server at claand.com.mx Port 80
********************************************************************
http://claand.com.mx

209.236.122.170
Nos manifiesta nuestra colega que ya se comunicó con el  Webmaster de la empresa CLAAND para que tome las acciones del caso pero hasta el momento el malware sigue activo, por lo que estamos tomando contacto con CERT.mx
Descargamos el artefacto y resulta ser conocido por 10 de 46 antimalware: Trojan-Dropper.Win32.Injector.hdrf, Trojan.Agent/Gen-Falleg[T] o Dropper.Generic7.BDKM
Adjuntamos el resultado del análisis realizado en el sandbox:
SandBox results for Lan.docsx.exe
Analysis ID: 26806
Date Analyzed: 2013-02-04 11:48:12
Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6
MD5 Hash: e4fe5b0a16301aea9ff047bbfb0e2f01
Filename: Lan.docsx.exe
File Type: PE32 executable for MS Windows (GUI) Intel 80386 3
Digital Behavior Traits
Injected Code NO
More than 5 Processes NO
Copies to Windows NO
Windows/Run Registry Key Set YES
Makes Network Connection NO
Creates EXE in System NO
Starts EXE in System YES
Starts EXE in Documents NO
Deletes File in System NO
Hooks Keyboard NO
Creates Hidden File NO
Creates DLL in System NO
Creates Mutex YES
Alters Windows Firewall NO
Checks For Debugger NO
Could Not Load NO
Opens Physical Memory NO
Modifies Local DNS NO
Starts EXE in Recycle NO
Creates Service NO
Modifies File in System NO
Deletes Original Sample NO
VirusTotal Results
Last Scanned: 2013-02-04 16:43:02
MicroWorld-eScan Not Detected
nProtect Not Detected
CAT-QuickHeal Not Detected
McAfee Not Detected
Malwarebytes Trojan.Agent
K7AntiVirus Trojan
TheHacker Posible_Worm32
NANO-Antivirus Not Detected
F-Prot Not Detected
Symantec WS.Reputation.1
Norman Not Detected
TotalDefense Not Detected
TrendMicro-HouseCall Possible_Virus
Avast Not Detected
eSafe Suspicious File
ClamAV Not Detected
Kaspersky Trojan-Dropper.Win32.Injector.hdrf
BitDefender Not Detected
Agnitum Not Detected
SUPERAntiSpyware Trojan.Agent/Gen-Falleg[T]
Emsisoft Not Detected
Comodo Not Detected
F-Secure Not Detected
DrWeb Not Detected
VIPRE Not Detected
AntiVir Not Detected
TrendMicro Possible_Virus
McAfee-GW-Edition Not Detected
Sophos Not Detected
Jiangmin Not Detected
Antiy-AVL Not Detected
Kingsoft Not Detected
Microsoft Not Detected
ViRobot Not Detected
AhnLab-V3 Not Detected
GData Not Detected
Commtouch Not Detected
ByteHero Not Detected
VBA32 Not Detected
PCTools Not Detected
ESET-NOD32 Not Detected
Rising Not Detected
Ikarus Not Detected
Fortinet Not Detected
AVG Dropper.Generic7.BDKM
Panda Not Detected

GFI SandBox is an automated malware analysis tool which allows the analysis of virtually any Windows application or file. For more information, visit:http://www.gfi.com/malware-analysis-tool.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s