[nSLUG] apache used to generate spam

Mike Spencer mspencer at tallships.ca
Thu Apr 16 17:43:15 ADT 2009

Donald wrote:

> One more test message arrived today.  The first one to
> arrive during business hours.  Here is the postcat, the same
> as the others, targeting a Brazilian population:
> [snip]
> http://www.eggisa.com/photos/vignettes/cheque.php?devolvido"

In case you haven't checked, that URL from your captured spam fetches
a UPX-packed W32 executable,  cheque-devolvido.exe 

         53248 bytes   packed  MD5sum bdb72a15507219132213a886c7ce3c23
        141824 bytes unpacked  MD5sum 854b66fafeec09c43bab3acfa299a0e0

I have no idea if this is active malware or something else.

"strings cheque-devolvido.exe" (on the upx-unpacked version) doesn't
produce anything that stands out (to my eye, anyhow) except

Google for "crazy_loader" produces one hit:


Which in turn contains a reference to, embedded
SWF and other odds from which I can deduce not very much other than a
Brazilian connection (which you already knew anyhow) and possible
connection to habbo.com VR/gaming system.

- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list