[AusNOG] Malicious ECard trojan using the MPACK malware hosting kit (AUSCERT#200701978)

matthew at auscert.org.au matthew at auscert.org.au
Mon Jul 2 17:29:19 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings all,

We've just issued the following alert:

  AL-2007.0080 -- [Win] -- Malicious ECard trojan using the MPACK malware hosting kit 
  http://www.auscert.org.au/7802

due to the numbers of reports we are getting and the fact it seems to
(currently) hitting Australia.  The spam email contains links to one of
the following sites:

          orionfinanceinc,org
          orionfinanceinc,net
          orionfinanceinc,com
          orionfinanceinc,info
          bristolantiquesale,com
          bristolcollections,com
          orionfinanceinc,net
          orionfinanceinc,info
          orionfinanceinc,com
          orionfinanceinc,org
          bristolantiquesale,com
          bristolcollections,com
          www.bristolcollections,com

All these sites linked to malware being hosted on the web site:

          http://bettarchilli.com/...

This has since been moved to:

           hxxp://bawazeerest,com/

The Trojan email has a subject line of one of the following variations:

            "I SENT YOU AN ECARD FROM AMERICANGREETINGS.COM"

An example of the message body is:
            
            To view your eCard, choose from the options below. 

            Click on the following link. 
            http://www.americangreetings.com/ecards/view#pd?i=439899392&m=2157&rr=y&source=ag999
            Or copy and paste the above link into your web browser's 
            "address" window. 

            If you have any comments or questions, please visit 
            http://www.americangreetings.com/help/index.pd?source=ag999

            Thanks for using AmericanGreetings

This Trojan uses a kit similar to "MPACK" malware hosting kit used in
recent attacks in Europe.

Might be worth looking for flow/connections to the above sites.  Any
feedback greatly appreciated of course.

Best regards,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRoipTih9+71yA2DNAQLV6QP/Xe2bKHXi8lL5L4+kRxjkSCl9oW3tqP2F
StHnvtoMB6UhJCSiuql2elonDnyWZZehH9GZ5Wz3y1I3lxSrzZRUCdkzZaF2tICI
Or4O71SBLcylck0hgQctaqr9uSI5siz560vr70BwXEfRxZ1pFoJHLlJIBGiG3sW3
7gqG1OzvX4Q=
=d9qk
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list