Name:

Amazon.com Spam Run

Descr. Added:

June 12, 2013

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

The latest Amazon.com spam run arrives as the following email:



All the embedded hyperlinks point to one compromised site (goldcoinvault.com). This site will then redirect the user to various malicious payload sites through the use of the following intermediate redirectors:

hxxp://ftp.blacktiedjent.com/mechanic/vaccinated.js
hxxp://piratescoveoysterbar.com/piggybacks/rejoiced.js
hxxp://nteshop.es/tsingtao/flanneling.js




Once the user has been redirected, the loaded website will prompt the user to update a plugin and will automatically download the file “update_flash_player.exe” on to the systems.

After execution of the above file, it communicates back with additional malicious domains and downloads more malware on to the system at the following locations:

%Appdata%\[randome_name]\[random_name].exe   [polymorphic file]
%temp%\[random_name].exe

The websites targeted by the “update_flash_player.exe” file include:

hxxp://forum.xcpus.com:8080/forum/viewtopic.php
hxxp://page10group.com/forum/viewtopic.php
hxxp://page10group.net/forum/viewtopic.php
hxxp://pagetengroup.com/forum/viewtopic.php
hxxp://wordpress.smadget.at/EU3ieg.exe
hxxp://derricoassociati.it/KLGS.exe
hxxp://www.stenocenter.it/BEys1t.exe
hxxp://www.studiolegalelucifora.it/BWfzYjH.exe


Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains (listed above) via our Browser Protection module.