Download Link: hxxp://superdrugtesting.com/withlove.exe hxxp://superdrugtesting.com/love.exe Comes in the form of Spam mail with links to blogspot blogs: hxxp://rgejedqsuvt.blogspot.com hxxp://qcrdkisybbdscp.blogspot.com Content of blog: Your download should start automatically in a few seconds. If not, click here to start the download and choose either "Open" or "Run". ('Click Here' links to the malware hxxp://superdrugtesting.com/withlove.exe) Mail Header: ---------------------------------------------------------------- Delivered-To: recepient@domain.com Received: by 10.114.168.6 with SMTP id q6cs327146wae; Sun, 6 Apr 2008 22:08:30 -0700 (PDT) Received: by 10.115.89.1 with SMTP id r1mr5469082wal.8.1207544909554; Sun, 06 Apr 2008 22:08:29 -0700 (PDT) Return-Path: Received: from localhost ([222.252.231.108]) by mx.google.com with SMTP id a8si14218601poa.2.2008.04.06.22.08.25; Sun, 06 Apr 2008 22:08:29 -0700 (PDT) Received-SPF: neutral (google.com: 222.252.231.108 is neither permitted nor denied by best guess record for domain of aljez@ewhfoodservices.com.au) client-ip=222.252.231.108; Authentication-Results: mx.google.com; spf=neutral (google.com: 222.252.231.108 is neither permitted nor denied by best guess record for domain of aljez@ewhfoodservices.com.au) smtp.mail=aljez@ewhfoodservices.com.au Received: (qmail 23767 invoked from network); Mon, 7 Apr 2008 12:08:18 +0700 Received: from unknown (HELO jxj) (222.55.218.215) by localhost with SMTP; Mon, 7 Apr 2008 12:08:18 +0700 Message-ID: <002101c8986d$644108a0$d7da37de@jxj> From: To: Subject: You make my world beautiful Date: Mon, 7 Apr 2008 12:08:18 +0700 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Somebody loves you hxxp://rgejedqsuvt.blogspot.com/hxxp://qcrdkisybbdscp.blogspot.com ---------------------------------------------------------------- File Name: withlove.exe File size: 139265 bytes MD5...: 014f9a2e7c385e927694ddc810936893 SHA1..: 67c55f6b475e2c3f76cdc415e11f7208647e03a0 SHA256: 1bac2aa03cf079b99202ef9e648b4e08e5ed769e065186ffcbb4dd203636a0dc SHA512: d527495b79d259a6c273826b50b85814c61d524766dadeaf9360c5a003258e56 1a065fbbbbee4461362edd9b60c8b9c744185dd808db9f870d437011ca1203dc VirusTotal Result for withlove.exe: 11/31 (35.49%) AntiVir 7.6.0.81 2008.04.07 Worm/Zhelatin.AO AVG 7.5.0.516 2008.04.07 I-Worm/Nuwar.R CAT-QuickHeal 9.50 2008.04.05 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.07 Trojan.Peed-188 DrWeb 4.44.0.09170 2008.04.07 Trojan.Packed.426 eSafe 7.0.15.0 2008.04.01 Suspicious File F-Secure 6.70.13260.0 2008.04.07 Email-Worm.Win32.Zhelatin.ww Kaspersky 7.0.0.125 2008.04.07 Email-Worm.Win32.Zhelatin.ww Sophos 4.28.0 2008.04.07 Troj/Dorf-BA VirusBuster 4.3.26:9 2008.04.07 Worm.Zhelatin.Gen!Pac.6 Webwasher-Gateway 6.6.2 2008.04.07 Worm.Zhelatin.AO File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 47F99438 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 00021A00 Size of initialized data: 00000200 Size of uninitialized data: 00000000 Address of entry point: 00001000 Base of code: 00001000 Base of data: 00023000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00024000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0600 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000219FC 00001000 00021A00 00000400 E0000020 .rdata 00000166 00023000 00000200 00021E00 40000040 Import table (libraries: 2) ntdll.dll (imports: 6) wcslen _wcsicmp NtProtectVirtualMemory NtUnmapViewOfSection NtMapViewOfSection memcpy KERNEL32.dll (imports: 4) GetProcAddress LoadLibraryW GetCurrentProcess GetModuleHandleA Process Details: Get File Attributes: C:\DNSAPI.dll Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32\DNSAPI.dll Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\DNSAPI.dll () Open File: C:\WINDOWS\system32\WININET.dll () Open File: C:\WINDOWS\system32\WININET.dll.123.Manifest () Open File: C:\WINDOWS\system32\WININET.dll.123.Config () Get File Attributes: C:\withlove.exe.Local\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 () Open File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll () Get File Attributes: C:\WINDOWS\WindowsShell.Manifest Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\WindowsShell.Manifest () Open File: C:\WINDOWS\WindowsShell.Manifest () Open File: C:\WINDOWS\WindowsShell.Config () Copy File: c:\withlove.exe to C:\WINDOWS\aromis.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\aromis.exe () Find File: aromis.exe Registry Keys Added: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "aromis" = C:\WINDOWS\aromis.exe Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename --> C:\WINDOWS\aromis.exe File Name: aromis.exe File size: 139265 bytes MD5...: 014f9a2e7c385e927694ddc810936893 SHA1..: 67c55f6b475e2c3f76cdc415e11f7208647e03a0 SHA256: 1bac2aa03cf079b99202ef9e648b4e08e5ed769e065186ffcbb4dd203636a0dc SHA512: d527495b79d259a6c273826b50b85814c61d524766dadeaf9360c5a003258e56 1a065fbbbbee4461362edd9b60c8b9c744185dd808db9f870d437011ca1203dc VirusTotal Result for aromis.exe: 11/31 (35.49%) AntiVir 7.6.0.81 2008.04.07 Worm/Zhelatin.AO AVG 7.5.0.516 2008.04.07 I-Worm/Nuwar.R CAT-QuickHeal 9.50 2008.04.05 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.07 Trojan.Peed-188 DrWeb 4.44.0.09170 2008.04.07 Trojan.Packed.426 eSafe 7.0.15.0 2008.04.01 Suspicious File F-Secure 6.70.13260.0 2008.04.07 Email-Worm.Win32.Zhelatin.ww Kaspersky 7.0.0.125 2008.04.07 Email-Worm.Win32.Zhelatin.ww Sophos 4.28.0 2008.04.07 Troj/Dorf-BA VirusBuster 4.3.26:9 2008.04.07 Worm.Zhelatin.Gen!Pac.6 Webwasher-Gateway 6.6.2 2008.04.07 Worm.Zhelatin.AO