Spam or Virus?

Today I had one of those typical spam malware in my mailbox, showing that Microsoft Outlook is one of the most widely used mail programs, being attacked all the time:

Microsoft Outlook Notification for the xxxx@xxxx.xx

Support [xxxx@xxxx.xx]

Sent :Thu 15/10/2009 06:38

To xxxx@xxxx.xx

Attachment install.zip (12kb)

You have (6) New Message from Outlook Microsoft

– Please re-configure your Microsoft Outlook Again.

– Download attached setup file and install.

True, this mail usually is a bad one, but nevertheless it made me grin due to the fact that I was using Thunderbird and KMail for managing my personal mail flood. So I checked the mail headers and found out that it came from a spamhost somewhere in the net.

Just as I decided to ignore that message and train my spamfilter, I noticed the ZIP file attached. Sadly it came without a brief description of what it really does – so that part of work is left to me. But I am sure it is definitively not the new software for photo books by CeWe. Unpacking the ZIP File was an easy thing:

Listing archive: install.zip
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2009-10-15 11:38:42 ....A        28672        21167  install.exe
------------------- ----- ------------ ------------  ------------------------
                                 28672        21167  1 files, 0 folders

The contents is just a plain EXE file, which is getting a little more interesting as you can scan it for malware, but for now, ClamAV doesn’t report a positive match. So I have to take a closer look if I want to know.

Digging in that binary, I noticed, that it is just another container that does SFX – and as I got my Swiss Army Archive tool 7-Zip with me, it is an easy thing to unpack it:

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2006-01-21 22:17:57               2606         3072  .text
2006-01-21 22:17:57               5293         5632  .rdata
2006-01-21 22:17:57              53248            0  .data
2006-01-21 22:17:57                592          512  .tls
2006-01-21 22:17:57              18138        18432  .edata
------------------- ----- ------------ ------------  ------------------------
                                 79877        27648  5 files, 0 folders

And here we go – but who is who? I am using the magic numbers of the files to get an idea of what’s their purpose.

data: empty
edata: data
rdata: data
text: VISX image file
tls: data

Skimming through the files with a HEX Editor, the string “FuC1.FuC1.FuC1” showed up quite often, which clearly indicates that the file is made from a script kiddie and won’t do anything good on our system…

So the best thing is just ignoring those messages and deleting them immediately.

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *