And again, history repeats itself ... Spam with viruses, act two
Good day, Habrochitatel!
Not long ago, I wrote a post about spamming (and I did not write one warning). It seemed like the story was over ... However, no! And again a letter of a similar nature came to me.
')
As expected, almost nothing has changed:
Yandex, as it turned out, decided to contribute to the malicious spammers in everything and friendly reports that there is nothing dangerous there. Like an antivirus program found nothing.
However, the already proven virustotal.com reports that the Trojan is waiting for us. And then the trojan is narrowly targeted ...
Judging by the information from the network:
Trojan-PSW.Win32.WebMoner.j
Rootkit: No
Visible manifestations: Foreign process in memory
Substitution of numbers of WebMoney and Yandex wallet purses in the clipboard
Synonyms: Trojan.PWS.Webmonier (DrWEB)
The Trojan program, written in Basic, is not compressed or encrypted, is 28,672 bytes in size. The icon and the copyright of the file are fake to be masked as a TWAIN Windows component. In the case of launch, it secretly performs the following operations:
1. Creates a copy of its executable file in the WINDOWS folder. The name of the executable file corresponds to the name under which the trojan ball is launched on the user's computer
2. It is registered in autorun, CurrentVersion \ Run key, System parameter
3. After launch, it remains secretly in memory and polls the contents of the clipboard by timer. If the WebMoney purse number is detected in the exchange buffer (a text string starting with Z, E, R, U and 12 digits after the letter), the Trojan program replaces this number with the number of the intruder’s purse. In order to make this change, the corresponding numbers of Z, E, R and U purses are set in plain text in the body of the Trojan. In addition, if a number is detected in the buffer, starting with “4” and containing 13–14 characters, the Trojan program replaces it with the number specified in the program. It is easy to see that the Yandex.Money wallet numbers have a similar format.
Thus, the principle of the Trojan program is based on the fact that when making a payment, often the purse numbers are copied via the clipboard and the user usually does not check the multi-digit number after inserting it. The Trojan program replaces the number, and the user copies the correct purse number to the buffer, and inserts the purse number of the creator of the Trojan program from the buffer and sends him money accordingly.
Protection technique
The method of protection is quite simple - you should always control the payment details before making a payment via the Internet. Such control will protect against various methods of falsification and substitution of the wallet number in the process of entering or copying it through the clipboard.
UPD:
Yandex and Webmoney have sent letters describing what it is (I’m talking about the file and its activity) and asking for action.
UPD2:
by lmaster
The executable file is a dropper (Delphi) and drops into% TEMP% the Trojan itself, packed with UPX, launching it for execution.
Trojan itself is written in Delphi, has a weight of 796 KB.
The malware collects information from the victim’s computer and sends it to the gate:
maerb.hmsite.net/upload.php
Functional Trojan-PSW.Win32.WebMoner.nl:
1) The program records all keystrokes (keylogger)
2) The malware steals data for authorization from the following programs:
- QIP
- Mail.ru Agent
- Total Commander
- SmartFTP
- OutLook
- ICQ
- The BAT!
- WebMoney
- FireFox
- IE
- Opera
3) All this program sends to the sites: maerb.hmsite.net/upload.php
From me: As you can see, nothing has changed ... Everything works as before. In the same way.
Not long ago, I wrote a post about spamming (and I did not write one warning). It seemed like the story was over ... However, no! And again a letter of a similar nature came to me.
Good day.
Web Design Studio "INTINITY" announces the recruitment of freelancers
by specialties:
designers, web designers,
foreign language translators,
copywriters, rewriters,
photographers, artists (knowledge of photoshop)
We also invite to cooperation agencies and studios.
we guarantee decent pay for your work,
task can be downloaded here;narod.ru/disk/17519876000/T3.rar.html
our website www.intinity.org
Design Studio "INTINITY"
')
As expected, almost nothing has changed:
From - Tue Feb 02 21:12:02 2010
X-Account-Key: account1
X-UIDL: 1265134310870
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <spravka@intinity.org>
Received: from [206.190.52.176] (port = 26921 helo = smtp107.biz.mail.re2.yahoo.com)
by mx20.mail.ru with esmtp
id 1NcNE5-000NiP-00
for XXX@mail.ru; Tue, 02 Feb 2010 21:11:49 +0300
Received-SPF: none (mx20.mail.ru: 206.190.52.176) client-ip = 206.190.52.176; envelope-from=spravka@intinity.org; helo = smtp107.biz.mail.re2.yahoo.com;
X-Mru-BL: 0: 4: 0
X-Mru-PTR: off
X-Mru-NR: 1
X-Mru-OF: unknown (ethernet / modem)
X-Mru-RC: US
Received: (qmail 68778 invoked from network); 2 Feb 2010 18:11:47 -0000
Received: from d54C3F021.access.telenet.be (spravka@84.195.240.33 with login)
by smtp107.biz.mail.re2.yahoo.com with SMTP; 02 Feb 2010 10:11:46 -0800 PST
X-Yahoo-SMTP: OGyL7BeswBAyEJCfyh3zpU0Ux00x
X-YMail-OSG: Z2tGzJUVM1kYtCxOkf2SYY50vDvMU0C6IGaK4cVfIg_cxKJM7Hk1YGKLpn_BnIZo5WKYIk86JSB.UuZoCkugEGVeRy8CGIbg_gltmyjOgzZy5lgKdyKkqXrUQR5QcBBWfeShmMw7mMZSO8hYNZhaGCrvj_aWYFB7AJ1bJQ48NKUs_ByHw4XtN5Y9ZemsZNr0kmZ3DKuPEIFdvv6GSugwxtNbii9LkIrM1_6U0kV_JzhSnzU5odZ_ezmiJ_FAkdr18N_eKDxGB1.diT61FJz7mnxYppQeYWJtQNMwt9KB7oQU5xFn_aFYXEYQczvdRg.Al3GdHatGBxB7Rgdll5.u3PMM.YCXh9Ek.QOCmZru4JZsYE6EEUa.x1bcyxefY4_z9ZethmvaRBQ97m76C.a1tNDpp3yKegdC7RAMMEcv6xb5pTCThzzY1DaTwhhq53F8jvl0vBN.6m60GbbFJettinZ90jha2bBotn8Ny2u2qIpCudretLjemC_SqAIsBU1uGt0W5A6x
X-Yahoo-Newman-Property: ymail-3
Message-ID: <00de97b9-40211-0e898831779861 @ user>
Reply-To: “Studio \” INTINITY \ "" <spravka@intinity.org>
From: “Studio \” INTINITY \ "" <spravka@intinity.org>
To: XXXX@mail.ru
Subject: Studio "INTINITY"
Date: Tue, Feb 2, 2010 21:11:47 +0300
MIME-Version: 1.0
Content-Type: text / plain
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-Spam: Not detected
X-Mras: OK
Good day.
Web Design Studio "INTINITY" announces the recruitment of freelancers
by specialties:
designers, web designers,
foreign language translators,
copywriters, rewriters,
photographers, artists (knowledge of photoshop)
We also invite to cooperation agencies and studios.
we guarantee decent pay for your work,
task can be downloaded here;narod.ru/disk/17519876000/T3.rar.html
our website www.intinity.org
Design Studio "INTINITY"
.
Yandex, as it turned out, decided to contribute to the malicious spammers in everything and friendly reports that there is nothing dangerous there. Like an antivirus program found nothing.
However, the already proven virustotal.com reports that the Trojan is waiting for us. And then the trojan is narrowly targeted ...
Judging by the information from the network:
Trojan-PSW.Win32.WebMoner.j
Rootkit: No
Visible manifestations: Foreign process in memory
Substitution of numbers of WebMoney and Yandex wallet purses in the clipboard
Synonyms: Trojan.PWS.Webmonier (DrWEB)
The Trojan program, written in Basic, is not compressed or encrypted, is 28,672 bytes in size. The icon and the copyright of the file are fake to be masked as a TWAIN Windows component. In the case of launch, it secretly performs the following operations:
1. Creates a copy of its executable file in the WINDOWS folder. The name of the executable file corresponds to the name under which the trojan ball is launched on the user's computer
2. It is registered in autorun, CurrentVersion \ Run key, System parameter
3. After launch, it remains secretly in memory and polls the contents of the clipboard by timer. If the WebMoney purse number is detected in the exchange buffer (a text string starting with Z, E, R, U and 12 digits after the letter), the Trojan program replaces this number with the number of the intruder’s purse. In order to make this change, the corresponding numbers of Z, E, R and U purses are set in plain text in the body of the Trojan. In addition, if a number is detected in the buffer, starting with “4” and containing 13–14 characters, the Trojan program replaces it with the number specified in the program. It is easy to see that the Yandex.Money wallet numbers have a similar format.
Thus, the principle of the Trojan program is based on the fact that when making a payment, often the purse numbers are copied via the clipboard and the user usually does not check the multi-digit number after inserting it. The Trojan program replaces the number, and the user copies the correct purse number to the buffer, and inserts the purse number of the creator of the Trojan program from the buffer and sends him money accordingly.
Protection technique
The method of protection is quite simple - you should always control the payment details before making a payment via the Internet. Such control will protect against various methods of falsification and substitution of the wallet number in the process of entering or copying it through the clipboard.
UPD:
Yandex and Webmoney have sent letters describing what it is (I’m talking about the file and its activity) and asking for action.
UPD2:
by lmaster
The executable file is a dropper (Delphi) and drops into% TEMP% the Trojan itself, packed with UPX, launching it for execution.
Trojan itself is written in Delphi, has a weight of 796 KB.
The malware collects information from the victim’s computer and sends it to the gate:
maerb.hmsite.net/upload.php
Functional Trojan-PSW.Win32.WebMoner.nl:
1) The program records all keystrokes (keylogger)
2) The malware steals data for authorization from the following programs:
- QIP
- Mail.ru Agent
- Total Commander
- SmartFTP
- OutLook
- ICQ
- The BAT!
- WebMoney
- FireFox
- IE
- Opera
3) All this program sends to the sites: maerb.hmsite.net/upload.php
From me: As you can see, nothing has changed ... Everything works as before. In the same way.
Source: https://habr.com/ru/post/82910/
All Articles