MX Lab, http://www.mxlab.eu, intercepted a new campaign of emails with the subject “You’ve received A Carrefour Bank E-Card!” that will lead to a host with a malicious payload in the form of an executable.
The email is send from the spoofed address “Carrefour <E-Cards@bank.com>” and has the following body:
The email is in the format of the famous Hallmark e-cards. Appearently, the images appear to be broken or blocked.
The malicious URL is pointing to hxxp://188.165.22.206/card.exe. When following the link, the file 858 kB card.exe is downloaded.
The trojan can establish a connection and communicate with an IRC server and will compromise SafeBoot registry key(s) in an attempt to disable the Safe Mode. It will also set the hard drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
The trojan will install many files on the infected system, among them the following ones:
- c:\autorun.inf
- c:\blyr.pif
- %Windir%\Temp\history\aliases.ini
- %Windir%\Temp\history\away.txt
- %Windir%\Temp\history\baby.mrc
- %Windir%\Temp\history\control.ini
- %Windir%\Temp\history\feel.reg
- ….
The trojan will create the following directories:
- %Windir%\Temp\history
- %Windir%\Temp\history\download
- %Windir%\Temp\history\logs
- %Windir%\Temp\history\sounds
- %Windir%\system.ini
- %System%\attrib.exe
- %System%\cmd.exe
- %System%\mmc.exe
- %System%\taskmgr.exe
- ALG – Application Layer Gateway Service
- SharedAccess - Windows Firewall/Internet Connection Sharing (ICS)
- wscsvc – Security Center
Several Windows registry changes will be exectued and the trojan can establish connection with the IPs 91.121.27.37 and 94.125.182.255, both on the IP port 6667.
The trojan will start up a new connection established with a remote IRC Server.
At the time of writing, only 40 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: a2f431e72dc1d252e6274e810424343c.
