** 1/14/2012 Updated with more Initial Landing Points, and new Subject Characteristics. **
The current infection process is the same:
- Receive a Phishing Email about a Package
- Download Zip file with Receipt.exe in it
- Open Malicious EXE and Svchost.exe is injected and calls home
- Calls home for the 2nd Stage, Multiple IPs until one successfully connects
- Finishes infection
- Machine is unusable.
- Different Sender
- Different Subject
- Starts with:
- Tracking IR
- Tracking Number
- 1 Letter in ()
- 2-3 letters following
- No space between last character and numbers.
- Subject: FW: Tracking ID (t)hia53 120 120 5339 5339
- URL for receipt is somewhat unique.
- http://druckerpatronen-1x1.de/AEPDVJYDTS.php?receipt=798_15525##### where # random numbers
- Order Number in Body is different.
Initial Landing Links for the ZIP file:
The .php?reciept=79 has been seen among all links received.