[nSLUG] apache used to generate spam

Mike Spencer mspencer at tallships.ca
Thu Apr 16 17:43:15 ADT 2009


Donald wrote:

> One more test message arrived today.  The first one to
> arrive during business hours.  Here is the postcat, the same
> as the others, targeting a Brazilian population:
>
> [snip]
>
> http://www.eggisa.com/photos/vignettes/cheque.php?devolvido"

In case you haven't checked, that URL from your captured spam fetches
a UPX-packed W32 executable,  cheque-devolvido.exe 

         53248 bytes   packed  MD5sum bdb72a15507219132213a886c7ce3c23
        141824 bytes unpacked  MD5sum 854b66fafeec09c43bab3acfa299a0e0

I have no idea if this is active malware or something else.

"strings cheque-devolvido.exe" (on the upx-unpacked version) doesn't
produce anything that stands out (to my eye, anyhow) except
"crazy_loader".

Google for "crazy_loader" produces one hit:

    http://www.freewebs.com/habbospeeed/The-Crazy_loader.html

Which in turn contains a reference to 200.153.146.181, embedded
SWF and other odds from which I can deduce not very much other than a
Brazilian connection (which you already knew anyhow) and possible
connection to habbo.com VR/gaming system.


FWIW,
- Mike

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^



More information about the nSLUG mailing list