This morning one of our readers hot-mail account got hijacked and its sending out Spam to the address book. The user tell us “I am not sure of how it happened. and some of the contacts have received the message from my email”
We look under the hood and reviewed the embedded links. Our team identifies the links to be associated with the Spam-Bots, Trojans, Fake Anti-virus, and the Z-BOT attacks that are straight out of China!
The malware is associated with 126.com that is hosted in china and lights up the DNS Entries like a Christmas Tree!
See the Graph
<Copy of the Spam Message>
<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>
From:d111___x1e@hotmail.com
To: Alluserx@AOL1.com
Dear sir/Madam: Our company is Large-sized China foreign trade companies. We sale cellphone, computer, TV, GPS,MP3 and Motorcycle and so on. We have our warehouse and shopping centers. we have very good price and credit. We will ensure our product 100% eligible. Hoping we can have long-time cooperation.
please contact us: (www: zlgxfc.com E-mail: zlgxfc @ 188.com)
<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<Malware Found>
- Trojan.DownLoader.Based
- Trojan Zeus/ZBOT
- Spam Bots
- Fake Anti-Virus /Ransomware
- Spyware
Malicious URL:zlgxfc.com
Malware Files Created:
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\lightbox[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\layout[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\style[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\validation[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\contentslider[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\zlgxfc[1].htm
Malicious URL: 188.com
Malware Files Created:
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\188index[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\188index[2].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\flashobject[1].js
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\flashobject[2].js
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\188[1].htm
Malicious DNS Traffic:
- 188.com
- 123.125.50.22 <— Spyware Found
- 220.181.12.218
- mimg.188.com
- 218.107.55.85
- 218.107.55.86
- mailjs.163.com
- 218.107.55.86
- 218.107.55.85
- vip.163.com
- 123.125.50.199
- Points to CNAME: mcache.idns.yeah.net
<Malware Activity>
# Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
# This Process sends MIME Email
# The Process is packed and/or encrypted using a software packing process
# The Process is polymorphic and can change its structure
# Looks at the contents of the autoexec.bat file
# Reads email address and phone book details
# Uses DNS to retrieve the IP address for web sites
# Visits web sites on your PC without you knowing
# Creates system tray popups, messages, errors and security warning
Host: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: XXXXX@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
<IP 123.125.50.22 Host names sharing IP>
*.104.126.com
*.68.104.126.com
104.126.com
111.126.com
126.com
127.net
188.com
208.68.104.126.com
2274747474.yeah.net
22dns20records20for20www.yeah.net
22idns1.yeah.net
22idns2.yeah.net
22m227-137.yeah.net
22m227-138.yeah.net
22main20tab20with20summary20for20www.yeah.net
22www.yeah.net
2yan.126.com
68.104.126.com
ahxczgq.126.com
bj126app91.126.com
ccxmqq.126.com
cheng307.126.com
ckbest.126.com
cncnnix.126.com
cnjax.126.com
dingliang.126.com
dodo521.126.com
eruson.yeah.net
feel8.126.com
foryousz.126.com
gao1978108.yeah.net
gm1866.126.com
guangweimanufactory.126.com
guoqing053051.126.com
honker43.126.com
iamtourist.126.com
ipad.vip.163.com
jeily.126.com
jinglongliu.126.com
jxl415424022.126.com
lizhb.126.com
lvjunkun.126.com
m5-141.126.com
m5-144.126.com
mail.netease.com
mail.netease.split.netease.com
mcache.mail.126.net
moveage2008.126.com
njweb.yeah.net
olympic08.126.com
stylesdrops.126.com
syhua3000.126.com
tangzhineng.yeah.net
vip.188.com
yaosoutv.com
yeah.net
yeetong.126.com
yootor.net
zhanglei8312.126.com
zhoujunan.126.com
Reference: Prevx.com and Robtex Graph