I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...