Spams pour Zhelatin.eu

[Malekal_morte]

Depuis quelques jours, plusieurs mails de Spams avec des url se terminant par hk sont envoyés.

Ces urls une fois ouverte exploitent les vulnérabilités MS05-052, MS06-014, MS06-072, MS07-017 afin d'executer des fichiers installant le rootkit Win32.Packed.Tibs.R windev-*.sys

 

 

Les mails :

Les sujets des mails :

For You....My Love

Gday

Gday, Bud

Gday, Pal

Good day!

Hello

Hello, Bud

Hey

Hey, Bud

Hey, Pal

Hi

Hi, Bud

Hi, Pal

Memories of You

Miracle of Love

Path We Share

Re:

 

 

Le corps des messages :

A Toast My Love

http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/'>http://<blocked>.hk/

 

If an efficient algorithm can be found for obtaining p and q for any

given n, the system will fall apart.

---

check it

http://<blocked>.hk/

---

check this

http://<blocked>.hk/

---

Dream of You

http://<blocked>.hk/

 

And it struck me that what I saw in Legoland were nothing but sculptures.

---

just for you

http://<blocked>.hk/

----

just look

http://<blocked>.hk/

---

look

http://<blocked>.hk/

---

look it

http://<blocked>.hk/

---

look this

http://<blocked>.com/

---

lol

http://<blocked>.hk/

---

read

http://<blocked>.hk/

---

read it

http://<blocked>.hk/

---

read this

http://<blocked>.hk/

---

this is for you

http://<blocked>.hk/

---

You're In My Thoughts

http://<blocked>.hk/

 

In all cases your site needs to look good, and in all cases your site

needs to function properly.

---

You're the One

http://<blocked>.hk/

 

Certainly the fight is not over.

 

Exemple :

 

 

Les scans des fichiers :

 

A l'heure où ce post est fait les utilisateurs Avast! ne sont pas protégés (ce qui n'est pas le cas des utilisateurs Antivir)

Ceci a permis d'ajouter un test "four" sur la page Avast! VS Antivir

 

Complete scanning result of "alt.exe.exe", received in VirusTotal at 06.16.2007, 13:35:59 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.16.0 06.15.2007 no virus found

AntiVir 7.4.0.32 06.16.2007 TR/Small.DBY.DB

Authentium 4.93.8 06.16.2007 no virus found

Avast 4.7.997.0 06.15.2007 no virus found

AVG 7.5.0.467 06.15.2007 no virus found

BitDefender 7.2 06.16.2007 Trojan.Peed.HVR

CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan

ClamAV devel-20070416 06.16.2007 no virus found

DrWeb 4.33 06.16.2007 Trojan.Packed.138

eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm

eTrust-Vet 30.7.3721 06.15.2007 no virus found

Ewido 4.0 06.16.2007 no virus found

FileAdvisor 1 06.16.2007 no virus found

Fortinet 2.85.0.0 06.16.2007 no virus found

F-Prot 4.3.2.48 06.15.2007 no virus found

F-Secure 6.70.13030.0 06.15.2007 Tibs.gen108

Ikarus T3.1.1.8 06.16.2007 no virus found

Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu

McAfee 5054 06.15.2007 no virus found

Microsoft 1.2607 06.16.2007 no virus found

NOD32v2 2334 06.15.2007 no virus found

Norman 5.80.02 06.15.2007 Tibs.gen108

Panda 9.0.0.4 06.16.2007 no virus found

Prevx1 V2 06.16.2007 no virus found

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.16.2007 no virus found

Symantec 10 06.16.2007 no virus found

TheHacker 6.1.6.133 06.15.2007 no virus found

VBA32 3.12.0.2 06.15.2007 no virus found

VirusBuster 4.3.23:9 06.15.2007 no virus found

Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen

 

Aditional Information

File size: 133973 bytes

MD5: 6c47d4ceabff9eb0c399c96bafa0e311

SHA1: 3ad21aba1c7180ca81b3952daebf416576626981

 

 

Complete scanning result of "t.inx", received in VirusTotal at 06.16.2007, 13:36:07 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.16.0 06.15.2007 no virus found

AntiVir 7.4.0.32 06.16.2007 no virus found

Authentium 4.93.8 06.16.2007 no virus found

Avast 4.7.997.0 06.15.2007 no virus found

AVG 7.5.0.467 06.15.2007 no virus found

BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG

CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan

ClamAV devel-20070416 06.16.2007 no virus found

DrWeb 4.33 06.16.2007 Trojan.Packed.138

eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm

eTrust-Vet 30.7.3721 06.15.2007 no virus found

Ewido 4.0 06.16.2007 no virus found

FileAdvisor 1 06.16.2007 no virus found

Fortinet 2.85.0.0 06.16.2007 no virus found

F-Prot 4.3.2.48 06.15.2007 no virus found

F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111

Ikarus T3.1.1.8 06.16.2007 no virus found

Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu

McAfee 5054 06.15.2007 no virus found

Microsoft 1.2607 06.16.2007 no virus found

NOD32v2 2334 06.15.2007 no virus found

Norman 5.80.02 06.15.2007 Tibs.gen111

Panda 9.0.0.4 06.16.2007 no virus found

Prevx1 V2 06.16.2007 no virus found

Sophos 4.18.0 06.12.2007 Mal/EncPk-E

Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious

Symantec 10 06.16.2007 no virus found

TheHacker 6.1.6.133 06.15.2007 no virus found

VBA32 3.12.0.2 06.15.2007 no virus found

VirusBuster 4.3.23:9 06.15.2007 no virus found

Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen

 

Aditional Information

File size: 8021 bytes

MD5: e217e39280e6248a4f6317e11a65835d

SHA1: 1c455a2db4a76b2860692a9427cc0f9711a62775

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

 

Source : http://www.cisrt.org/enblog/read.php?115