Sunday, July 31, 2011

"Wrong Transaction" Hotel spam malware continues to evolve

One of the distinct advantages of having the UAB Spam Data Mine is that we are able to provide near-real-time intelligence about the evolution of malware campaigns being delivered by spam. On July 27, 2011 we provided a warning about Wrong Transaction Hotel Spam that was covered by Robert McMillan in PC World and ComputerWorld, and was also mentioned by Matt Liebowitz for MSNBC.

Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.

We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:

 count | receiving_date
1516 | 2011-07-27
1828 | 2011-07-28
813 | 2011-07-29
1470 | 2011-07-30
1258 | 2011-07-31
(5 rows)

but the malware is constantly evolving.

CountMalware MD5TimeRange
593c15eb3c47800fec025b6a86a6409f144 2011-07-27 03:00 AM to 2011-07-27 08:30 AM
100101e3bbd4b6f8c22a3516771f9b6792bc 2011-07-27 12:45 PM to 2011-07-28 04:45 AM
31857d931256fd6d7184528ae983e34677b 2011-07-27 08:00 AM to 2011-07-27 13:30 PM
8656e2eae488317280dd813e3e2fc9e0275 2011-07-28 04:15 AM to 2011-07-28 13:00 PM
554ad760ac5806a84a272e1eb76b315ac31 2011-07-28 12:30 PM to 2011-07-28 20:15 PM
11164140ee10115174fe36a738d4d943f2af 2011-07-29 13:45 PM to 2011-07-30 04:00 AM
614e2d3d4ccf02ea924e6d11cb452235f4c 2011-07-30 03:30 AM to 2011-07-30 16:15 PM
9315bbe80ad216c89bcbb6891178dc4b5fa 2011-07-30 14:45 PM to 2011-07-31 07:30 AM
409ca84d1a0c49eff5ca829b5fa531800e8 2011-07-31 07:30 AM to 2011-07-31 13:15 PM
484aa412182a164321a159f9b2e95be53bc 2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME

Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.

I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.

Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.

We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.

When we launched it, it made connections to: - - -

That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from

I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.

Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.

Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to: - - failed to resolve

It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.

That "" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called,, and is also currently resolving as

Update 01AUG2011

At 3:15 this morning, the malware being distributed swapped to:

2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:

a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).

At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:

4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:

2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.