This particular case is spread by spam with the following email:
As can be seen, the link does not lead to Gusanito but the criminals are using the service of the company Track EmailMarketing to deceive the user and also this service allows them to know how many users have downloaded the supposed postcard (a malware).It should be noted that this service is paid but offers a trial version that can be used without any problem for these harmful purposes.
If the link is tracked, the actual server where the executable file is located see_postal.exe is reached:
The executable file is located on the servers of an educational institution in Peru and is a Trojan developed in Mexico, in Visual Basic language and is detected by some antivirus.Update 1: I just verified that this is a Trojan that connects to a server in Mexico to send different data from the user's system and their passwords stored in Internet Explorer, Firefox and MSN. Once executed the Trojan is added to the auto-boot key of the operating system and establishes a connection to the server and sends the following information via GET and receives instructions in a Command encoded in Base64:
Also at the bottom you can verify the domain information and the name of your (supposed) registrant. I am struck by the supposed place of residence, a city that I like and appreciate very much.Update 2: After our complaint to the company that provides the DNS service to the criminal, this was the response:
If words... at least they responded quickly.Luckily with Track Email Marketing we had better luck and the account has been canceled.
Update 3: Continuing with the investigation of this harmful site we have come to the real business of this criminal who is dedicated to computer investigations:
At least they make clear their techniques of brute force and social engineering, that is, sending false postcards like those that gave rise to this post. In addition, someone may be interested in advertising on your site.
Update 4: They can now vote the site as harmful in MyWot and so other users don't fall into the trap.
Cristian from the Segu-Info Newsroom
