Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New e-mail scam targeting Colombian Internet users: This time claiming to be from the Transport authority

Published: 2012-05-26
Last Updated: 2012-05-27 06:34:09 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

 Scams keep coming! This time there were many uses from all across the country targeted by this e-mail scam claiming to be a notice of traffic ticket from the Transport Authority.

 

Initial e-mail scam

Two links were provided in the e-mail: http://www.mcc-instrumentation.com/videos/Ver_Documento_ID_23452345212234_VER_Cod_2345234723497.html and http://www.la-cloture-electrique.fr/upload/Ver_Documento_ID_23472893475987980798072344_VER_Cod_2234523345234723497.html. Both of them redirects to the file Aviso-Multas_DOC.exe, with MD5 d554f70ce28470350269d8e6778127e3. Once executed, it downloads the following files:

File MD5
atu.exe 1466d43e8ae62af74a83eb81094c7c25
ky.exe 974f4ceaca680fe4572a0e050fc851db
wrm.exe e63c7844a75df064d78f1894e6f673bb

The exe files read all the TCP/IP registry parameters. After that, it connects to some servers to report to some kind of a botnet:

Botnet Report

One of the reports seems to be sent by mail, because the php script where the program reports gets a warning:

As of today, there are other servers that have removed the offending PHP scripts sending a 404 error to the program. No further action is taken by the program and it becomes resident by creating entries on HKLM\Software\Microsoft\Windows\Currentversion\Run

Have you seen this kind of packets in your network? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

Keywords:
0 comment(s)
Diary Archives