Date: Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be two variants.
Subject: IMPORTANT - WellsFargo
Please check attached documents.
Wells Fargo Advisors
817-368-5471 cell Anthony_Starr@wellsfargo.com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at
www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47 (yup.. none at all). The Comodo CAMAS report gives the following checksums..
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial.com on 184.108.40.206 (specifically it is a pony downloader querying /ponyb/gate.php). More of this later. ThreatTrack has a more detailed report which also identifies callbacks to www.errezeta.biz and ftp.myfxpips.com. ThreatExpert has a slightly different report and further identifies megmcenery.com, taxfreeincomenow.com, taxfreeincomenow.info and 220.127.116.11 (Linode, US).
The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46. Comodo CAMAS reports the following file characteristics..
..in this case the pony download contacts hraforbiz.com (also on 18.104.22.168). Other analyses are pending.
Several of these malware domains are hosted on 22.214.171.124 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 126.96.36.199 (Aruba, Italy) also seems to be compromised. 188.8.131.52 (Unified Layer, US) and 184.108.40.206 (Register.com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been hacked in some way, I would expect them to be cleaned up at some point in the future.
Putting all these IPs and domains together gives a recommended blocklist: