You received a new message from Skype voicemail service - Virus
This is an automated email, please don't reply.
Voice Message Notification
You received a new message from Skype voicemail service.
Message Details:
Time of Call: 17 Dec 2013 10:20:24 -0400
Length of Call: 38sec
Listen to the message (im Original verlinkt)
2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg. Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited.
Subject: You received a new message from Skype voicemail service
This is an automated email, please don't reply.
Voice Message Notification
You received a new message from Skype voicemail service.
Message Details:
Time of Call: 17 Dec 2013 10:20:24 -0400
Length of Call: 38sec
Listen to the message
in the attached file.
S 2003-2013 Skype and/or Microsoft. The Skype name, associated trademarks and logos and
the “S”
logo are trademarks of Skype or related entities.
Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg.
2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg.
Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited.
MSG-88494HA29.zip (67)
Malware Link Version:
Subject: You received a new message from Skype voicemail service
This is an automated email, please don't reply.
Voice Message Notification
You received a new message from Skype voicemail service.
Message Details:
Time of Call: 17 Dec 2013 10:20:24 -0400
Length of Call: 38sec
Listen to the message
2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg.
Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited.
Header Examples:
Spoofs gmail and yahoo email addresses.
Received: from gateway.flycommunications.net [92.63.232.1]
X-Envelope-From: reconfiguredf51 @gmail.com
From: "Skype Communications" <reconfiguredf51 @gmail.com>
Subject: You received a new message from Skype voicemail service
Received: from bzq-79-176-166-233.red.bezeqint.net [79.176.166.233]
X-Envelope-From: nayspiv26 @yahoo.com
Subject: You received a new message from Skype voicemail service
From: "Skype Communications" <nayspiv26 @yahoo.com>
Received: from 50-201-219-238-static.hfc.comcastbusiness.net [50.201.219.238]
X-Envelope-From: test @yahoo.com
From: "Skype Communications" <test @yahoo.com>
Subject: You received a new message from Skype voicemail service
Received: from static.kpn.net [92.71.231.114]
X-Envelope-From: penancinghm51 @yahoo.com
From: "Skype Communications" <penancinghm51 @yahoo.com>
Subject: You received a new message from Skype voicemail service
Received: from rrcs-24-123-68-90.central.biz.rr.com [24.123.68.90]
X-Envelope-From: commiseratess18 @yahoo.com
From: "Skype Communications" <commiseratess18 @yahoo.com>
Subject: You received a new message from Skype voicemail service
Attachment / Link Samples:
18 December 2013 (Attachment type)
MSG-88494HA29.zip containing MSG-88494HA29.exe
VirusTotal
report
Avast Win32:Dropper-gen [Drp]
ESET-NOD32 Win32/TrojanDownloader.Wauchos.X
F-Prot W32/Trojan3.GVE
Commtouch W32/Trojan.EQAE-3652
TrendMicro TSPY_ZBOT.OBY
DrWeb Trojan.Inject2.23
Sophos Troj/Agent-AFDT
Kaspersky Backdoor.Win32.Androm.bjpn
Symantec Backdoor.Trojan
Malwr.com
report
Installs itself for autorun at Windows startup
File-Analyzer.net
report
Networking
Contains functionality to download additional files from the internet
Urls found in memory or binary data
Downloads files from webservers via HTTP
Found strings which match to known social media urls
Performs DNS lookups
Posts data to webserver
finley.su /new2 /gate.php <-- is this a zues pony variant
berges-saint-germain.com /UPC.exe
finley.su /s1.mod
81.177.170.217 /rk.mod
Boot Survival
Stealing of Sensitive Information
Data Obfuscation
HIPS / PFW / Operating System Protection Evasion
Anti Debugging
Virtual Machine Detection
AV process strings found
avp.exe
domains:
massfloor.ru 5.79.83.20
finley.su 178.160.144.227
berges-saint-germain.com 213.186.33.40
ips:
213.186.33.40 France
195.186.1.121 Switzerland
5.79.83.20 Netherlands
157.56.77.158 United States
195.186.4.121 Switzerland
81.177.170.217 Russian Federation
178.160.144.227 Armenia
19 February 2014 (Link type)
Emails come with a series of links like:
frms.myzen.co.uk /1.html
hargreavesfurniture.co.uk /1.html
troytempest.com /1.html
myjanespa.com /1.html
honeybass.com /1.html
thehomelanddevelopers.com /1.html
gotohongkongspa.com /1.html
glashow-md.com /1.html
armormetalroofing.com /1.html
www.accentjamie.com /1.html
aquahousehibachi.com /1.html
tinysgardenspa.com /1.html
koolitz.com /1.html
pcdresale.com /1.html
theviewoman.com /1.html
walkerstribeca.com /1.html
mojosdeli.com /1.html
hillsideglass.co.za /1.html
ns228746.ovh.net /~laboitea /1.html
suntannailnyc.com /1.html
footfunflushing.com /1.html
sumofl.com /1.html
kosheryamasushi.us /1.html
christmas-goose.co.uk /1.html
aipn.it /1.html
munnarblooms.com /1.html
penplacer.com /1.html
goldroyalties.ca /1.html
www.minka.co.uk /~mnk-ftp /1.html
chinafun88.com /1.html
afflatusgravure.com /1.html
teakoprime.com /1.html
varadacreation.com /1.html
www.seoservicesindia.co /1.html
misaghbikes.ir /1.html
nuknfuts.aisites.com /1.html
mocha7003.mochahost.com /~msimecek /1.html
thericerestaurant.com /1.html
saladshackny.com /1.html
globalstudieschina.com /1.html
nyuslawyers.com /1.html
napolisfrisco.com /1.html
mocha7003.mochahost.com /~hypno /1.html
neseastudentdesigncompetition.org /1.html
cartes-d-affaire.com /1.html
allanteske.com /1.html
partyplancatering.com /1.html
masande.ie /1.html
www.svnhatta.com /1.html
vweb6.manufacture.com.tw /~chanlong /1.html
cmfoodny.com /1.html
malarstwodmw.artist.pl /1.html
go3gift.com /1.html
airportchapel.co.za /1.html
vssportsnetwork.com /1.html
ixora.mschosting.com /~stableco /1.html
kathsimages.co.za /1.html
ajrelax.com /1.html
mocha7003.mochahost.com /~hypnothe /1.html
kaszubyranczo.w.interia.pl /1.html
fashionmassagenorcross.com /1.html
pinpointmedia.tv /1.html
industrial-in.com /1.html
peculiarpresents.co.uk /1.html
newworldinvestor.com /1.html
www.counteract.talktalk.net /1.html
froyocafegardner.com /1.html
hhs1973.com /1.html
theaxiomproject.com /1.html
Each landing pages tries to load two or so javascript files (with .txt file extensions) like...
merdekapalace.com /1.txt
www.shivammehta.com /1.txt
Which will try to redirect to some malware site like ...
p22473.typo3server.info /9 /jsanalyzer.aspx
nedapardaz.com /theme /it /browser /_lzf_.php
merkabahcentro.com /xmlbrowser.aspx
You received a new message from Skype voicemail service - Virus