Today I had one of those typical spam malware in my mailbox, showing that Microsoft Outlook is one of the most widely used mail programs, being attacked all the time:
Microsoft Outlook Notification for the xxxx@xxxx.xx
Support [xxxx@xxxx.xx]
Sent :Thu 15/10/2009 06:38
To xxxx@xxxx.xx
Attachment install.zip (12kb)
You have (6) New Message from Outlook Microsoft
– Please re-configure your Microsoft Outlook Again.
– Download attached setup file and install.
True, this mail usually is a bad one, but nevertheless it made me grin due to the fact that I was using Thunderbird and KMail for managing my personal mail flood. So I checked the mail headers and found out that it came from a spamhost somewhere in the net.
Just as I decided to ignore that message and train my spamfilter, I noticed the ZIP file attached. Sadly it came without a brief description of what it really does – so that part of work is left to me. But I am sure it is definitively not the new software for photo books by CeWe. Unpacking the ZIP File was an easy thing:
Listing archive: install.zip Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2009-10-15 11:38:42 ....A 28672 21167 install.exe ------------------- ----- ------------ ------------ ------------------------ 28672 21167 1 files, 0 folders
The contents is just a plain EXE file, which is getting a little more interesting as you can scan it for malware, but for now, ClamAV doesn’t report a positive match. So I have to take a closer look if I want to know.
Digging in that binary, I noticed, that it is just another container that does SFX – and as I got my Swiss Army Archive tool 7-Zip with me, it is an easy thing to unpack it:
Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2006-01-21 22:17:57 2606 3072 .text 2006-01-21 22:17:57 5293 5632 .rdata 2006-01-21 22:17:57 53248 0 .data 2006-01-21 22:17:57 592 512 .tls 2006-01-21 22:17:57 18138 18432 .edata ------------------- ----- ------------ ------------ ------------------------ 79877 27648 5 files, 0 folders
And here we go – but who is who? I am using the magic numbers of the files to get an idea of what’s their purpose.
data: empty
edata: data
rdata: data
text: VISX image file
tls: data
Skimming through the files with a HEX Editor, the string „FuC1.FuC1.FuC1“ showed up quite often, which clearly indicates that the file is made from a script kiddie and won’t do anything good on our system…
So the best thing is just ignoring those messages and deleting them immediately.