Jump to content

Malwarebytes

postcard.exe and ikea.exe

Started by Ecrofirt, Jan 17 2009 12:09 AM

4 replies to this topic

#1
Ecrofirt
Posted 17 January 2009 - 12:09 AM

    New Member

  • Members
  • Pip
  • 5 posts
Our campus recently got hit by two fake email messages claiming to be from Hallmark and Ikea. Both contained the typical zip file attachment (postcard.zip and ikea.zip, respectively), and each had an executable inside the zip (postcard.exe and ikea.exe, respectively).

When users run the postcard executably, it opens a simple Windows form that looks like this:
Posted Image

The ikea file doesn't have a visible form for the end user.

Through some packet sniffing, we've been able to figure out that the files resolve the external IP address of the PC they're on (by connecting to whatismyip.com), then then send this information to random sites on the internet, download some files from the internet, and use a packed-in SMTP client to mass email copies of the virus to other people.

The files also seem to infect PCs with a ton of Vundo dlls. The combination of ComboFix and MBAM appears to remove all of the threatening Vundo dll files, but neither scanner picks up 2 specific files that are unpacked from within the executables. These files are as follows:
mf.exe
javare.exe

I do not know if these files are not being picked up because they aren't actually dangerous, or if it's just because no signatures exist for them yet. I've attached postcard.zip to this post, and I will reply to this post with a copy of ikea.zip.

For obvious reasons, only extract and run these files under extreme caution.

Attached Files


#2
Ecrofirt
Posted 17 January 2009 - 12:14 AM

    New Member

  • Members
  • Pip
  • 5 posts
OK, I didn't realize I had a global 500k limit. Here are the files:
hxxp://nformant.net/mbam/ikea.zip
hxxp://nformant.net/mbam/postcard.zip

Again, these files seem to extract mf.exe and javare.exe to system32, neither of which are currently picked up by MBAM.

#3
Jaxryley
Posted 17 January 2009 - 03:31 AM

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 6,718 posts
  • Gender:Male
  • Location:West Aussie
  • Interests:Gardening and computers.

Quote

File postcard.exe received on 01.17.2009 04:21:34 (CET)
Current status: finished
Result: 26/39 (66.67%)
File size: 350208 bytes
Virus Total

Quote

File ikea.exe received on 01.17.2009 04:21:25 (CET)
Current status: finished
Result: 26/39 (66.67%)
File size: 350208 bytes
Virus Total

#4
Ecrofirt
Posted 17 January 2009 - 01:43 PM

    New Member

  • Members
  • Pip
  • 5 posts
Perhaps I should have made this post about javare.exe and mf.exe, which are files extracted by postcard.exe and ikea.exe. Neither of these were picked up by MBAM during scans with fully up-to-date installs yesterday.

http://www.threatexpert.com/report.aspx?md...90a5fb93d1465c6
http://spywarefiles.prevx.com/spywarefiles...?FXC=HAGJ251660

#5
MysteryFCM
Posted 17 January 2009 - 11:29 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 4,231 posts
  • Gender:Male
  • Location:Tyneside, UK
http://hphosts.blogspot.com/2009/01/ikea-m...acceptable.html

;)
Steven Burn
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us