Sponsored by..

Tuesday, 10 March 2009

Classmates trojan: "Should I leave my Crazy Fat Wife for a younger woman?"

An unusual bit of social engineering here:

Subject: Classmates personal message: Please help me to decide which way to choose
From: "Gold - Classmates" online@groups.classmates.com

Special video report March 10, 2009
Message from your group member:

"Should I leave my Crazy Fat Wife for a younger woman? Please look video and Help me
to decide, please ........I need your help,
if possible - Write your opinion on the page wall"


Proceed to open full message text:

(removed)

Sincerely, Leslie Burks.
2009 Classmates Message Center.

If you click on the link (not advisable) you get the following page (hosted on a botnet somewhere):



You are then prompted to install and run a file called Adobemedia10.exe at which things will start to go seriously wrong.

The VirusTotal report indicates a very low detection rate for the binary (VBA32 flags it up as Embedded.Rootkit.Win32.Agent.ex). However, the ThreatExpert prognosis shows just how much damage this does, and identifies a C&C server at 58.65.232.17 which is a well-known malware server hosted by black hat hosting outfit Hostfresh.

This looks like a fairly horrible thing to try to clean up, and probably best to recover data, reformat and reinstall.

No comments: