From Pine View Farm

Trojan Warning 0

I found an email in my spam box this morning that said

You have just received a virtual postcard from a family member!
.
You can pick up your postcard at the following web address:
.
http://www2.postcards.org/?d21-sea-sunset
.
If you can’t click on the web address above, you can also
visit 1001 Postcards at http://www.postcards.org/postcards/
and enter your pickup code, which is: d21-sea-sunset.

When I clicked the link, it opened the “download file” dialog box.

Yeah. Right. Post cards don’t download stuff. They just sort of lie there.

Since *.exe files are meaningless to Linux, I downloaded it and scanned it with F-Prot. F-Prot reports that it is infected as follows:

picture.exe->script.ini Infection: IRC/Zapchast.AK@bd
picture.exe->sup.reg Infection: REG/Zapchast.A

which, according to Sophos, is a “Trojan which sets up jobs to delete system files.

“The Trojan creates a Scheduled Task to delete the contents of the hard drive at 11:15pm on the next Tuesday, Thursday or Saturday (whichever is next).”

A little analysis revealed that it originated from an Outlook mail client in the Dominican Republic:

inetnum: 66.98.64/19
status: allocated
owner: VERIZON DOMINICANA
ownerid: DO-CODE-LACNIC
responsible: Indhira Medina
address: Av. Abraham Lincoln, 1101,
address: 1377 – Santo Domingo – DN
country: DO
phone: +1 809 220-2000 []
owner-c: ABT
tech-c: ABT
inetrev: 66.98.64/19
nserver: NS1.CODETEL.NET.DO
nsstat: 20070306 AA
nslastaa: 20070306
nserver: NS2.CODETEL.NET.DO
nsstat: 20070306 AA
nslastaa: 20070306
created: 20010406
changed: 20060911

nic-hdl: ABT
person: Abuse Team
e-mail: Abuse@VERIZON.NET.DO
address: Av. Abraham Lincoln, 1101,
address: 1377 – Santo Domingo – DN
country: DO
phone: +1 809 2202000 []
created: 20021127
changed: 20040309

Abuse@VERIZON.NET.DO has been notified.

Share

Comments are closed.