Google, Facebook, Twitter, Hi5, Amazon and Hallmark are 6 companies impersonated in the malware campaign this time. This is a new variant of the malware we analyzed.
Taking advantage of these companies’ reputation, hacker distributes bogus emails with malicious code. Many people fall victim to this kind of phishing, because in fact, these established companies do regularly email their users. Let’s say, such companies providing social networking service like Facebook, Twitter or Hi5, or those e-commerce companies like Amazon, Hallmark or Google which often send recruitment emails to their candidates. Thus, users are easily tricked into opening such emails.
So, this is still “fertile land” for bad guys to spread virus via spam emails. They keep changing the spam’s content with view to enticing users to open the attached file which in fact, is a virus.
Figure 1: 6 “targets” are all included in the virus’s source code
Figure 2: Faking Google
Figure 3: Faking Facebook
Figure 4: Faking Twitter
Figure 5: Faking Hi5
Figure 6: Faking Amazon
Figure 7: Faking Hallmark E-Card
This malware hides itself as an attached file, making users curious and open it.
Upon execution, malware will:
1. Manipulation with file:
- Dumps the following file: %Windir%\MFPTKPAR.dll
- Copies itself as file: %SystemDir%\HPWuSchedv.exe
2. Manipulation with key:
- HP Software Updater v2.7 = "%SystemDir%\HPWuSchedv.exe"
- Pwulinubesida = "rundll32.exe "%Windir%\MFPTKPAR.dll",Startup"
to load virus at Windows’ startup.
3. Terminates the service: Error Reporting and Security Center
4. Copies itself to shared folders with names posing as the setup folders of crack softwares or programs:
- Adobe Photoshop CS4 crack.exe
- Windows 7 Ultimate keygen.exe
- K-Lite Mega Codec v5.5.1.exe
5. Copies itself as file autorun.inf to USB drives to spread.
6. Deletes key, file and terminates the process of some popular antivirus softwares.
7. Constantly sends emails with fake content attached with virus to spread.
8. Connects to server : 18.104.22.168 via port 1049
And on one day if you find a similar email in your inbox, be cautious when opening it.
Nguyen Hong Quang and Nguyen Cong Cuong