Name:

American Express Spam Run

Descr. Added:

July 2, 2013

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

The latest American Express Scam arrives in a user’s inbox as the following html-based email:




In the above example, all the embedded hyperlinks point to one compromised site (hxxp://s201964868.onlinehome.xx/typesetting/index.html). This site will then redirect the user to various malicious payload sites through the use of the following intermediate redirectors:

hxxp://208.73.23.85/storing/telepathically.js
hxxp://client.sisintl.com/climatic/voluptuary.js

Once the user has been redirected, the loaded website will prompt the user to update a plugin and will automatically download the file “update_flash_player.exe” on to the systems.

This file is hosted on several websites:
hxxp://staffcaddie.info/adxxe/update_flash_player.exe
hxxp://staffcaddie.com/adxxe/update_flash_player.exe
hxxp://reportsanywhere.mobi/adxxe/update_flash_player.exe
hxxp://pocketconference.com/topic/helped-double-curxxntly.php?jnlp=73f2baf5f2

After execution of the above file, it communicates back with additional malicious domains and downloads more malware on to the system at the following locations:

%Appdata%\[randome_name]\[random_name].exe   [polymorphic file]
%temp%\[random_name].exe

Thirtyseven4 has observed that the downloaded malware (two variations) belong to either the “Zbot" or "Fareit" malware family depending on what website the user was redirected to.


Please Note: Thirtyseven4 Antivirus is up-to-date against these threats and Thirtyseven4 has proactively blocked these targeted domains (listed above) via our Browser Protection module.