The Latest in IT Security

Brazilian spambot spreads like fire

20
May
2011

A legitimate Canadian website is hosting a Trojan:

www.getwiththeprogram.ca/IMG2713.zip

The zip archive contains a file with a .cpl extension.

Control Panel Files are normally used by the Windows Control Panel where each icon corresponds to a file, such as Access.cpl, Appwiz.cpl etc.

Anyway, what a lot of people don’t know is that such files can be run by double clicking them, just like any other “.exe”.

This is what happens when you execute it:

Which triggers an escalation of malicious code:

More malware is downloaded from:

opt2011opt.epac.to (IP: 212.124.117.230)

File system modifications include the creation of a “programfiles” folder (not to be confused with the legit Program Files one):

One of the immediate payload of this Trojan is spam, at a rate of several hundred emails per minute:

This particular spambot is targeting Brazilian users, as you may see during the infection process:

The bad guys left out a ‘counter’ page in the clear which you would have caught if you were running Fiddler:

It shows you other infected computers, with the vast majority located in Brazil:

I have contacted the Canadian website mentioned above so they remove this piece of malware to prevent further infections.

Jerome Segura

Leave a reply


Categories

SUNDAY, SEPTEMBER 24, 2017

Featured

Archives

Latest Comments

Social Networks