German THANKS FOR YOUR ORDER spam
Megel, A Internet Storm Center contributor, alerted us to a new German spam with a file that claims to be a PDF but is really a downloader. He started seeing this file arrive via email friday AM.
The message is basically an “thank you for your order read the pdf enclosed for details” type message. Not very original or new but it must work or the hackers would quit using this approach.
Original text from one sample messege:
Guten Tag,
Vielen Dank fur Ihre Bestellung!
Die von Ihnen bestellten Waren sind vollstandig am Lager und werden umgehend
durch die Logistikabteilung an Sie versandt.
Im Anhang finden Sie Ihr(en) Angebot/Auftrag im PDF-Format mit Beleg Nr.
1837118.
Offnen Sie angefugte PDF-Dateien mit Acrobat Reader. Diesen konnen Sie unter
http://www.adobe.de/products/acrobat/readstep2.html kostenlos herunterladen.
Um eine schnellstmogliche Bearbeitung Ihre Ruckfragen gewahrleisten zu
konnen,
bitten wir Sie bei Ruckfragen immer Ihre Kundennummer 77316 und
Belegnummer [3816712] anzugeben.
Vielen Dank
Mit freundlichem Grub
Eberhard Schmidt
TMS Logistik GmbH
Call Center:
tel (0180) 31 57 16 21 - 0,09 EUR/min aus dem dt. Festnetz/T-Com
fax (030) 90 16 - 29 19
web www.tms-logistik.de
Niederlassung Berlin
Albrechstrasse 117
D-01271 Berlin
----------------------------------------------------------------------------
Auf den Punkt gebracht - Ihre Vorteile als TMS Logistik Kunde
----------------------------------------------------------------------------
o 14 Tage Ruckgaberecht fur originalverpackte Neuware
o Beratung durch unsere Fachverkaufer
o Transparente Preisgestaltung und Verfugbarkeitsanzeige
o Rundumschutz durch optionales Servicepaket
o Kostenfreie Parkplatze
o Bequeme Zusendung durch uns oder DHL moglich
o Kostenfreier 80-seitiger Gesamtkatalog - auch per Post nach Hause
----------------------------------------------------------------------------
TMS Logistik - seit 12 Jahren erfolgreich in Berlin
----------------------------------------------------------------------------
Results from virustotal show its detected by some AV but mostly generically as some type of downloader.
Aditional Information
File size: 8522 bytes
MD5: 5da184f16450d90b4c4fbec26d559130
SHA1: 16e5b73c82baad5a765123133ef87707e311d8da
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics
This downloader grabs k91.exe from the site. Wwwdotsapervertydotbz
DanielW noticed that this one may have detection for vmware. “It silently terminated” when he tested it.
The message is basically an “thank you for your order read the pdf enclosed for details” type message. Not very original or new but it must work or the hackers would quit using this approach.
Original text from one sample messege:
Guten Tag,
Vielen Dank fur Ihre Bestellung!
Die von Ihnen bestellten Waren sind vollstandig am Lager und werden umgehend
durch die Logistikabteilung an Sie versandt.
Im Anhang finden Sie Ihr(en) Angebot/Auftrag im PDF-Format mit Beleg Nr.
1837118.
Offnen Sie angefugte PDF-Dateien mit Acrobat Reader. Diesen konnen Sie unter
http://www.adobe.de/products/acrobat/readstep2.html kostenlos herunterladen.
Um eine schnellstmogliche Bearbeitung Ihre Ruckfragen gewahrleisten zu
konnen,
bitten wir Sie bei Ruckfragen immer Ihre Kundennummer 77316 und
Belegnummer [3816712] anzugeben.
Vielen Dank
Mit freundlichem Grub
Eberhard Schmidt
TMS Logistik GmbH
Call Center:
tel (0180) 31 57 16 21 - 0,09 EUR/min aus dem dt. Festnetz/T-Com
fax (030) 90 16 - 29 19
web www.tms-logistik.de
Niederlassung Berlin
Albrechstrasse 117
D-01271 Berlin
----------------------------------------------------------------------------
Auf den Punkt gebracht - Ihre Vorteile als TMS Logistik Kunde
----------------------------------------------------------------------------
o 14 Tage Ruckgaberecht fur originalverpackte Neuware
o Beratung durch unsere Fachverkaufer
o Transparente Preisgestaltung und Verfugbarkeitsanzeige
o Rundumschutz durch optionales Servicepaket
o Kostenfreie Parkplatze
o Bequeme Zusendung durch uns oder DHL moglich
o Kostenfreier 80-seitiger Gesamtkatalog - auch per Post nach Hause
----------------------------------------------------------------------------
TMS Logistik - seit 12 Jahren erfolgreich in Berlin
----------------------------------------------------------------------------
Results from virustotal show its detected by some AV but mostly generically as some type of downloader.
| Antivirus | Version | Update | Result |
|---|---|---|---|
| AntiVir | 7.3.1.36 | 02.09.2007 | TR/Dldr.iBill.L |
| Authentium | 4.93.8 | 02.09.2007 | W32/Downloader.BBAV |
| Avast | 4.7.936.0 | 02.11.2007 | no virus found |
| AVG | 386 | 02.10.2007 | Generic3.SE |
| BitDefender | 7.2 | 02.11.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 02.09.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20060426 | 02.11.2007 | Trojan.Downloader-1405 |
| DrWeb | 4.33 | 02.11.2007 | Trojan.DownLoader.18372 |
| eSafe | 7.0.14.0 | 02.09.2007 | no virus found |
| eTrust-Vet | 30.4.3384 | 02.10.2007 | no virus found |
| Ewido | 4.0 | 02.11.2007 | no virus found |
| Fortinet | 2.85.0.0 | 02.11.2007 | DwnLdr.GAI!tr |
| F-Prot | 4.2.1.29 | 02.09.2007 | W32/Downloader.BBAV |
| F-Secure | 6.70.13030.0 | 02.10.2007 | Trojan-Downloader.Win32.Nurech.aj |
| Ikarus | T3.1.0.31 | 02.11.2007 | Trojan-Downloader.Win32.BBAV |
| Kaspersky | 4.0.2.24 | 02.11.2007 | Trojan-Downloader.Win32.Nurech.aj |
| McAfee | 4960 | 02.09.2007 | New Win32 |
| Microsoft | 1.2204 | 02.11.2007 | no virus found |
| NOD32v2 | 2052 | 02.11.2007 | no virus found |
| Norman | 5.80.02 | 02.09.2007 | no virus found |
| Panda | 9.0.0.4 | 02.11.2007 | Suspicious file |
| Prevx1 | V2 | 02.11.2007 | no virus found |
| Sophos | 4.13.0 | 02.08.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 02.09.2007 | VIPRE.Suspicious |
| Symantec | 10 | 02.11.2007 | no virus found |
| TheHacker | 6.1.6.056 | 02.11.2007 | Trojan/Downloader.Nurech.aj |
| UNA | 1.83 | 02.09.2007 | no virus found |
| VBA32 | 3.11.2 | 02.10.2007 | no virus found |
| VirusBuster | 4.3.19:9 | 02.10.2007 | no virus found |
Aditional Information
File size: 8522 bytes
MD5: 5da184f16450d90b4c4fbec26d559130
SHA1: 16e5b73c82baad5a765123133ef87707e311d8da
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics
This downloader grabs k91.exe from the site. Wwwdotsapervertydotbz
DanielW noticed that this one may have detection for vmware. “It silently terminated” when he tested it.
| Antivirus | Version | Update | Result |
|---|---|---|---|
| AntiVir | 7.3.1.36 | 02.09.2007 | HEUR/Malware |
| Authentium | 4.93.8 | 02.09.2007 | W32/Trojan.XUM |
| Avast | 4.7.936.0 | 02.11.2007 | Win32:Agent-ENV |
| AVG | 386 | 02.10.2007 | Generic3.AC |
| BitDefender | 7.2 | 02.11.2007 | Trojan.Spy.Goldun.HO |
| CAT-QuickHeal | 9.00 | 02.09.2007 | no virus found |
| ClamAV | devel-20060426 | 02.11.2007 | Trojan.Spy-734 |
| DrWeb | 4.33 | 02.11.2007 | no virus found |
| eSafe | 7.0.14.0 | 02.09.2007 | no virus found |
| eTrust-Vet | 30.4.3384 | 02.10.2007 | Win32/Brospy.ED |
| Ewido | 4.0 | 02.11.2007 | Trojan.Agent.aeq |
| Fortinet | 2.85.0.0 | 02.11.2007 | no virus found |
| F-Prot | 4.2.1.29 | 02.09.2007 | W32/Trojan.XUM |
| F-Secure | 6.70.13030.0 | 02.10.2007 | Trojan.Win32.Agent.aeq |
| IkarusT | 3.1.0.31 | 02.11.2007 | Trojan-Spy.Win32.Goldun.lw |
| Kaspersky | 4.0.2.24 | 02.11.2007 | Trojan.Win32.Agent.aeq |
| McAfee | 4960 | 02.09.2007 | no virus found |
| Microsoft | 1.2204 | 02.11.2007 | no virus found |
| NOD | 32v22053 | 02.11.2007 | Win32/Spy.BZub.NCU |
| Norman | 5.80.02 | 02.09.2007 | W32/Malware.JRO |
| Panda | 9.0.0.4 | 02.11.2007 | no virus found |
| Prevx | 1V2 | 02.11.2007 | no virus found |
| Sophos | 4.13.0 | 02.08.2007 | Troj/Deldo Gen |
| Sunbelt | 2.2.907.0 | 02.09.2007 | no virus found |
| Symantec | 10 | 02.11.2007 | no virus found |
| TheHacker | 6.1.6.056 | 02.11.2007 | no virus found |
| UNA | 1.83 | 02.09.2007 | no virus found |
| VBA | 323.11.2 | 02.10.2007 | Trojan.Win32.Spy.BZub.NCU |
| VirusBuster | 4.3.19:9 | 02.10.2007 | no virus found |
Keywords:
0 comment(s)
Decoding Diyer?s Ascii bypass:
A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?
Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”
I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
The user’s question was how can I decode these?
Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”
I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments