<<<
NEWS FROM THE LAB - Wednesday, March 7, 2007
>>>
 

 
Case Singel.de Posted by Mikko @ 14:19 GMT

There was another Nurech spammed today. The gang behind it has been masquerading as various German organizations when spamming out their malware, including GEZ, the German division of Ikea, and quelle.de.

Today we saw a run of mails claiming to be from a dating site named Singel.de:

Case Singel

The mails contained a ZIP attachment, with a file named Singel.de.pdf.exe inside.

When decoding this file, we saw that it attempts to download several more files:

Case Singel

Turns out, most of these URLs will not resolve and were probably put in there just to throw us off. However, the link ending with "tss0.txt" does work, giving out two lines of text:

Case Singel

Now, this looks like a URL encoded with a 8-bit constant, doesn't it?

And in fact, it's encrypted by running XOR 0x02 on each byte. An easy way to decrypt something like this is to use the Edit feature in HIEW hex editor.

Case Singel

And with this we get to the encrypted content, which is a link to yet another piece of malware:

Case Singel

We're in the process of shutting down the offending site. Also, we detect the dropped samples as
Trojan-Downloader:W32/Nurech.BB and the downloaded sample as Trojan.Win32.Agent.aeq.