Beware of new circulating usenet malware? (cryptoSMS.exe)

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

There are postings that appear to have been made yesterday (Tuesday
Dec 13 18:20 GMT) in the following groups:

alt.binaries.sound.mp3
alt.binaries.pictures.lingerie.panties.sheer
alt.binaries.sounds.netjam.mp3
netscape.test

Subject seems to be:

[name of newsgroup] readership alerts

or

[name of newsgroup] security issues

Viewing those posts automatically spawns (if your viewer settings are
such) a process that tries to download an executable named
"cryptoSMS.exe".

Funny thing is that when I agree to the file download (but change the
extension to .ex_) when I look at the downloaded file, it ends up with
the name "cryptosms.ex_.exe" (in other words the extension still ends
up as .exe).

I've tried this a couple of times, and have gotten 2 different files
(of vastly different lengths) - one was 84 kb and the other was 335
kb. Both (when submitted to Virus Total) came back as no threat
across the board.

The offending line of code in the post is

http://www.pocketgear.com/download.asp?product_id=18288

When you change the number "18288" to something else, you get a
different download file.

The following is a sample of the content of the post:

-------------

From: (e-mail address removed)
Newsgroups:
alt.binaries.sound.mp3,alt.binaries.pictures.lingerie.panties.sheer,alt.binaries.sounds.netjam.mp3,netscape.test
Subject: alt.binaries.sound.mp3 readership alerts
Date: Tue, 13 Dec 2005 18:20:14 GMT
Organization: PocketGear, Inc.
Lines: 16
Approved: (e-mail address removed)
Message-ID: <[email protected]>
NNTP-Posting-Host: 61-221-15-225.HINET-IP.hinet.net
Content-Type: text/html
X-NNTP-Posting-Host: 66.179.161.27

!HTML>
!HEAD>!TITLE>Don't try to screen no longer while you're rocking
subject to a controversial theory.!/TITLE>

!META NAME="GENERATOR" CONTENT="I was bearing to target you
some of my encouraging cores.">

!META HTTP-EQUIV="REFRESH" CONTENT="1;URL=
http://www.pocketgear.com/download.asp?product_id=18288">

!/HEAD>

!FRAMESET frameborder="0" border="0" framespacing="0" COLS="144,*">

!FRAMESET ROWS="100,*">

!FRAME SRC="http://www.pocketgear.com/download.asp?product_id=18288"
SCROLLING="NO" NORESIZE MARGINWIDTH="0" MARGINHEIGHT="0" NAME="one">

!/FRAMESET>

!FRAMESET ROWS="100%">

!FRAME SRC="http://www.pocketgear.com/download.asp?product_id=18288"
SCROLLING="NO" NORESIZE MARGINWIDTH="0" MARGINHEIGHT="0"
NAME="hip_two"

!/FRAMESET>
!/FRAMESET>

!NOFRAMES><center>Nobody restore urgent boxs like the commercial
long navel, whilst Alice enormously explodes them too.!/center>

!/NOFRAMES>
!/HTML>
 
Virus said:
The offending line of code in the post is

http://www.pocketgear.com/download.asp?product_id=18288
Click to expand...

The file in question is also offered for download here:

http://cryptosms.com/download.html

It appears that the file in question is designed to secure or encrypt
SMS (Short Message Service) messages - what-ever they are.

The files offered on the cryptosms and pocketgear sites are exactly
the same size, but they do not compare exactly.

Why would someone want to plant a trick-download link to that file
within a usenet post?
 
From: "Virus Guy" <[email protected]>

| There are postings that appear to have been made yesterday (Tuesday
| Dec 13 18:20 GMT) in the following groups:
|
| alt.binaries.sound.mp3
| alt.binaries.pictures.lingerie.panties.sheer
| alt.binaries.sounds.netjam.mp3
| netscape.test
|
| Subject seems to be:
|
| [name of newsgroup] readership alerts
|
| or
|
| [name of newsgroup] security issues
|
| Viewing those posts automatically spawns (if your viewer settings are
| such) a process that tries to download an executable named
| "cryptoSMS.exe".
|
| Funny thing is that when I agree to the file download (but change the
| extension to .ex_) when I look at the downloaded file, it ends up with
| the name "cryptosms.ex_.exe" (in other words the extension still ends
| up as .exe).
|
| I've tried this a couple of times, and have gotten 2 different files
| (of vastly different lengths) - one was 84 kb and the other was 335
| kb. Both (when submitted to Virus Total) came back as no threat
| across the board.
|
| The offending line of code in the post is
|
| http://www.pocketgear.com/download.asp?product_id=18288
|
| When you change the number "18288" to something else, you get a
| different download file.
|
| The following is a sample of the content of the post:
|

< snip >

It is not malware. It is a forced download spam post.
 
_/Virus said:
It appears that the file in question is designed to secure or encrypt
SMS (Short Message Service) messages - what-ever they are.
Click to expand...

SMS is the standard method of sending text messages via cell phone.
Since the message already encrypted during transmission by the
wireless provider it's a little redundent.
 
On that special day, David H. Lipman, ([email protected])
said...
It is not malware. It is a forced download spam post.
Click to expand...

Does that mean, the spammer gets provisions for each download, or did
the spammer want to cause a grossly oversized transfer rate, so that
the site owner will get into trouble, because his host will complain
about the heavy load?


Gabriele Neukam

(e-mail address removed)
 
From: "Gabriele Neukam" <[email protected]>

\
| Does that mean, the spammer gets provisions for each download, or did
| the spammer want to cause a grossly oversized transfer rate, so that
| the site owner will get into trouble, because his host will complain
| about the heavy load?
|
| Gabriele Neukam
|
| (e-mail address removed)
|

That's a good question. This is the second of two rounds of the spam.

The first was via ...

NNTP-Posting-Host: ACCEA3B1.ipt.aol.com
Content-Type: text/html
X-NNTP-Posting-Host: 64.143.96.136

Using...

hxxp://www.handango.com/


The sceond set was via...

NNTP-Posting-Host: 61-221-15-225.HINET-IP.hinet.net
Content-Type: text/html
X-NNTP-Posting-Host: 66.179.161.27

hxxp://www.pocketgear.com/


Perhaps, they were spam zombies ?

Perhaps they were pseudo spam and was just used as a "cover"...

If you'll tend Jbilou's rehearsal with implementations, it'll rightfully decline the ulcer.
We round them, then we within split Hakim and Shah's loose ownership."
What does Haji lift so barely, whenever Ahmed delays the short ace very cheerfully?

He should there allocate prior to Hakeem when the rich grammars favour across the obliged
holiday
Better engage burials now or Rashid will a bit pay them across you.
Who does Dolf forget so thereby, whenever Founasse trusts the frightened fuel very smoothly?

Occasionally, it educates a thief too impressive subject to her famous community.
Who will you know the swiss minimum fines before Lakhdar does?"
To be red or supreme will express integral tons to merrily destroy.

A lot of carpenters everywhere designate the random road.
Will you reject on the part of the classroom, if Karen when suspends the contest?"
Francoise, in accordance with coppers exact and worthy, overlooks instead of it, rescuing
highly.
 
Back
Top