The links lead to the following sites, although surely in the next few hours the criminals will change them:From: Urgent
Submitted: Wednesday, 30 November 2011 23:19
Subject: Outstanding traffic finesDate of issue: 30/11/2011 Republica Argentina
Dear Contributor,
We detect in our Traffic Fines System (SMTA) several infractions committed by your vehicle, because you did not notify yourself in the corresponding misdemeanor court we forward the Fines with your respective photos.
If you do not regularize the corresponding infractions in the next 90 days from the date of issuance of this communication your vehicle will be informed as a debtor and will become part of the Veraz, in accordance with Law n 12.549 of 1/04/2008.
The inclusion of your vehicle in the Veraz will prevent you from regularly selling your vehicle in the Argentine Republic.We attach in this report the infractions made: PHOTO 1 - PHOTO 2 - PHOTO 3 (harmful links)
(Article 127, 2 of Automotive Tax and Articles 3 and 7 of Resolution n 629/001 ) The owner of the vehicle is notified by this means.- Publicidad -The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copy of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
@transito.gov.ar>
http://www.aviaco[DELETED].com/js/Notification.exe http://www.flowerk[DELETED].se//layout/Notification.exe http://viz[DELETED].org/en/products//vz222/Notification.exe The Notification.exe file is detected by few antivirus and is a downloader Trojan, developed in Delphi and packaged with UPX, which downloads another file from http://jupiterprosthodon[DELETED].com/images/android.exe.
This file is a banking Trojan also developed in Delphi and packaged with UPX, which is copied to the user's profile (C:\Documents and Settings\[USER]\Local Settings\Program Data\Unilessss\Winservices.exe) and executed. Once unpacked, the file has a size of 27 MB and in this particular attack it seeks to infect users of the Argentine banks Patagonia, Galicia, Francés, Comafi, StandardBank and Santander Río, to steal information corresponding to their bank accounts.
Once the user is infected, and enters the website of any of the banks mentioned, the malware takes control of the operating system, deletes the memory browser and replaces the bank's website with its own form, from where it requests the user's information and subsequently sends it to the criminal. In this image you can see this fake form:
Once stolen, the data is sent through a form hosted at www.houseimmobilELIMINATED].it/php/fostem.php and "encrypted" in hexadecimal.
Cristian from the Segu-Info Newsroom
Leave your comment