Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

By Dancho Danchev

We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K, in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal.

More details:

Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 – detected by 25 out of 47 antivirus scanners as VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.

Once executed, the sample creates an Alternate Data Stream (ADS) – C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.

It then creates the following files on the affected hosts:
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe

And the following Mutexes:

It then phones back to the following C&C server:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s