Sponsored by..

Monday, 10 June 2013

Wells Fargo spam / Important WellsFargo Doc.exe / Important WellsFargo Docs.exe

This fake Wells Fargo spam run comes with one of two malicious attachments:

Date:      Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From:           Anthony_Starr@wellsfargo.com
Subject:      IMPORTANT - WellsFargo

Please check attached documents.

Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr@wellsfargo.com

ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.

To unsubscribe from marketing e-mails from:
·         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
·         Wells Fargo and its affiliates: Unsubscribe at
www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.

For additional information regarding our electronic communication policies, visit
http://wellsfargoadvisors.com/disclosures/email-disclosure.html .

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103


CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be two variants.

One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47 (yup.. none at all). The Comodo CAMAS report gives the following checksums..

NameValue
Size94720
MD570e604777a66980bcc751dcb00eafee5
SHA152ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae

..it identifies that this version of the malware attempts to download additional components from mceneryfinancial.com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php). More of this later. ThreatTrack has a more detailed report which also identifies callbacks to www.errezeta.biz and ftp.myfxpips.com. ThreatExpert has a slightly different report and further identifies megmcenery.com, taxfreeincomenow.com, taxfreeincomenow.info and 207.204.5.170 (Linode, US).

The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46. Comodo CAMAS reports the following file characteristics..

NameValue
Size114176
MD547e739106c24fbf52ed3b8fd01dc3668
SHA1b85b4295d23c912f9446a81fd605576803a29e53
SHA2562d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b

..in this case the pony download contacts hraforbiz.com (also on 173.255.213.171). Other analyses are pending.

Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised. 173.254.68.134 (Unified Layer, US) and 207.204.5.170 (Register.com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been hacked in some way, I would expect them to be cleaned up at some point in the future.

Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162
911mx.com
aquaresi.it
arpa.sardegna.it
artisticlubsportincontro.it
babyfattoria.it
clipboom.it
comerioturismo.com
designedtextilesolutions.com
errezeta.biz
escortelegant.com
ftp.myfxpips.com
ganciocielo.com
gosuccessmode.com
gtti.it
hotelvillamaria.net
hraforbiz.com
itisrighi.fg.it
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
pescareamessina.com
pizzotti.net
polisportivaairoldi.eu
salviamofirenze.it
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
sidmodena.it
stesrl.it
stivi.it
taxfreeincomenow.com
the-exhibitionist-journal.com
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net

2 comments:

dinetteandsleep said...

What do I do if I opened and ran the attachment?

Conrad Longmore said...

@dinetteandsleep, well.. that probably infected your computer. You could try one of the following products:
http://www.f-secure.com/en/web/home_global/online-scanner
http://housecall.trendmicro.com/
http://www.malwarebytes.org/products/malwarebytes_free/

Even if your system appears to be clean, it might not be. Rechecking again after a few days will use the latest detections and might find components that have been missed.