Archive for the ‘Win32/Winwebsec’ Category

Slick links linked to slinky Winwebsec

May 3rd, 2011 No comments

I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further.

Message 1, about two weeks old, contained a simple URL shown as ‘’.  The hyperlink actually is for a different site, “”, a site that has been taken down when I tested in our lab.

Message 2 contained another URL, also displayed as ‘’ and the hyperlink this time was for another site, “”.   As of April 27, the site was still alive, and appears to be a fake site for the purchase of drugs online:

Image 1 – fake pharma site


Message 3 arrived only a few days ago, and it too used the ‘’ ruse. The message contained a single line of content, with a displayed link of ‘’ and an actual hyperlink of “”. I turned to a fellow researcher Tim to investigate. Below is a short summary of what he discovered.

When visiting the URL, it installs a program with a file name of “pack.exe” (ShA1: 6286972A5DA540E058DD2AEDFC38B6061FF67F14). A quick search at VirusTotal – an online service that scans submitted malware samples using multiple security scanners – indicated no current detection by security vendors.

When I ran the program, a familiar interface popped up – it was the rogue Win32/Winwebsec:

Image 2 – Win32/WinWebsec rogue


And now, they want $99.95 for it:

Image 3 – purchase lure


After having a peek at the HTML code of the malicious website, we found there was actually an exploit kit being implemented to install rogues, using a “drive-by-install” method. The exploit is similar to the known “Zombie Infection Kit” and also the “Siberia exploit kit”, and it includes the following exploitation methods:


Image 4 – CVE-2006-003 – Microsoft Data Access Components (MDAC) Vulnerability


Image 5 – CVE-2010-0886 – Java Deployment Toolkit Vulnerability


Image 6 – CVE-2010-1885 – Microsoft Windows Help and Support Center Vulnerability

If these exploit methods look familiar, that’s because they are the exact exploit toolkits heavily used to distribute Zbot (aka Zeus). The rogue installed by the web page mentioned above is detected as Rogue:Win32/Winwebsec.

If you only draw one conclusion from our research, let it be “don’t click on suspicious links”.


–Tim Liu & Scott Wu, MMPC

Trojan downloader Chepvil on the UPSwing

March 26th, 2011 Comments off

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Image 1 – Chepvil telemetry


Nearly all of the attached files are named “United Parcel Service”.

The most prevalent SHA1s for the .ZIP attachment are:

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Image 2 – Chepvil telemetry by geography


Below is one example of a spammed message containing the Chepvil trojan.


Image 3 – Sample of Chepvil trojan attachment

Image 3 – Sample of Chepvil trojan attachment


MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.


– Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan