A closer look at a Swine Flu spam

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

 

 

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

 

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

 

Links lead to two different malware files:

 

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

 

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

 

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

 

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

 

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

 

And this file is identified as PWS-Banker-gen.b

 

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

 

The information about the hacked machine and banking data are then posted to the sites below:

 

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

 

This is the strings appended to the URLs above:

 

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

 

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

 

 

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

 

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.