Blogpost: http://bartblaze.blogspot.com/2013/11/malware-spreading-via-skype.html Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...) ### Analysis ### Known MD5's: 293cc1f379c4fc81a7584c40f7c82410 66def80d6f87f6f79156557172f9f295 Callback to IP's: 88.150.177.162 Callback to domains: Random & partial DGA(1) - Pattern: http://%random%.aingo.cc Persistence: Creates key in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Injects into: explorer.exe Sets Proxy: Yes Type of malware: Caphaw - Banking malware Technical details ~~ Meta-data ================================================================================ File: /home/remnux/samples/invoice_171658.pdf.exe_ Size: 360448 bytes Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 293cc1f379c4fc81a7584c40f7c82410 SHA1: 7bb5b71513e01c2095d37f42c64982a3edb523b5 ssdeep: 3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL Date: 0x52739069 [Fri Nov 1 11:28:41 2013 UTC] EP: 0x401270 .text 0/4 CRC: Claimed: 0x5eb47, Actual: 0x5eb47 Resource entries ================================================================================ Name RVA Size Lang Sublang Type -------------------------------------------------------------------------------- RT_CURSOR 0x532b0 0x134 LANG_RUSSIAN SUBLANG_RUSSIAN data RT_BITMAP 0x536c0 0x1eec LANG_RUSSIAN SUBLANG_RUSSIAN data RT_BITMAP 0x555b0 0x4e8 LANG_RUSSIAN SUBLANG_RUSSIAN data RT_ICON 0x55a98 0x128 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST RT_ICON 0x55bc0 0xea8 LANG_RUSSIAN SUBLANG_RUSSIAN data RT_ICON 0x56a68 0x568 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST RT_ICON 0x56fd0 0x10a8 LANG_RUSSIAN SUBLANG_RUSSIAN data RT_ICON 0x58078 0x468 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST RT_GROUP_CURSOR 0x533e8 0x14 LANG_RUSSIAN SUBLANG_RUSSIAN Lotus 1-2-3 RT_GROUP_ICON 0x584e0 0x4c LANG_RUSSIAN SUBLANG_RUSSIAN MS Windows icon resource - 5 icons, 16x16, 16-colors RT_VERSION 0x53400 0x2c0 LANG_RUSSIAN SUBLANG_RUSSIAN data Sections ================================================================================ Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------- .text 0x1000 0xee6 0x1000 5.764246 .rdata 0x2000 0x49ce2 0x4a000 5.440947 .data 0x4c000 0x619c 0x6000 0.012147 [SUSPICIOUS] .rsrc 0x53000 0x5530 0x6000 3.693765 Version info ================================================================================ LegalCopyright: gex Copright ls soft InternalName: jex MUWEfess dlle FileVersion: 13, 13, 201, 1241 ProductName: jox Weaex Apps ProductVersion: 13, 13, 21, 153 FileDescription: jex dllx OriginalFilename: lexlse.exe Translation: 0x0419 0x04b0 ~~ ### Prevention ### * Check your Skype settings. Only allow contacts to send you messages/files & contact you * Don't download and run unknown files, especially PE(2) files ### Disinfection ### * Run a full scan with your installed antivirus product * Look for suspicious Run keys and delete the associated file(s) * Run a full scan with another antivirus and/or antimalware product * Change your Skype password * Change your proxy to the original one(3) (usually none) * Change ALL your other passwords * Call your bank to ensure there was no unauthorized withdrawal or transaction * When in doubt, seek advise on a professional malware removal forum(4) ### Conclusion ### * Follow above prevention tips * Use common sense & do not click on or run anything you encounter * When in doubt, check the file on VirusTotal for example # Links # (1) http://en.wikipedia.org/wiki/Domain_generation_algorithm (2) http://en.wikipedia.org/wiki/Portable_Executable (3) http://www.wikihow.com/Change-Proxy-Settings (4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs @bartblaze