New backdoor threat in spam email using recording artist names

If I got this, you will too. Be on the lookout for a spam email with the name of a major female recording artist in a subject and a message body claiming it has a link to a video or mp3 file. Clicking on said link will result in the download and possible execution of a file named mgp.exe, which has been identified by AVG as Backdoor IRCBOT.DNZ. Activating this threat will give control of your PC to hackers who will control it using IRC channels and commands. After that, there is no telling what other malware or spam-ware will be installed onto your computer.

The file I tested (mgp.exe) is 61.5 kb in size and was delivered from a compromised Italian website, AlterVista.org, whose IP address range is from 75.126.135.128 - 75.126.135.143, which is hosted on servers leased from Softlayer, Inc.

Those of you who use my exploited servers blocklist are already aware that Softlayer's IP range is in the list of servers being exploited for spam and hosting malware. The IP range is expressed as what is known as a CIDR and in the case of Softlayer the CIDR to block is 75.126.0.0/16 - which covers all IP addresses from 75.126.0.0 through 75.126.255.255. The CIDR assigned to the infected Italian website is 75.126.135.128/28. This message has already been reported to SpamCop, by numerous reporting recipients. They will notify the companies involved in hosting this malware threat, but, the timing of this spam threat is no coincidence. This threat was released on the Easter long holiday weekend, when support personnel may be out or short-handed until Tuesday, in the hopes of maximizing the usability of the ruse.

If you have control over incoming email on your web server, you may wish to apply a filter to block traffic from these CIDRs, unless you have business with websites hosted there. Otherwise, create a filter to block email where the Subject contains "Stunning video" and "Carmen Electra" - and the body contains "Only 1 day trial" and "download it now."

The full text of the spam threat I examined is as follows...

Subject: Stunning video without cowards Carmen Electra Message Body:
Milla Jovovich Interesting video with a naked celebrity.

The video is Kick-up!

Only 1 day trial - get this Full mp3 now!

{link removed} Download it now!

Read about what you should do if you have already clicked on such a link, in my extended comments...

Take 10% Off 1 year of Trend Micro Internet Security 2009 - Use Coupon Code: TrendIS

If you have already clicked on the link you should scan your computer immediately, with the most up to date anti-virus definitions for your anti virus program. Also, empty your browser's cache, or Temporary Internet Files to delete the copy that is hiding in that location. If your anti virus program is expired, it is useless and you may as well uninstall it and replace it with something up to date and functional. You will either need to purchase a subscription to a commercial anti malware program or download a free one, like AVG or Avast. Free programs are alright for casual use, but don't give you anywhere near the protection and frequency of updates that a paid version offers. I have links to some well respected anti virus programs at the end of this section.

Most anti virus vendors already have released definitions to identify this Backdoor Trojan and will delete it if you haven't already activated the executable. If the virus is already installed they will remove it, but you may need to reboot and scan again. If you have already shut down your computer since becoming infected with this backdoor threat, you may also have to disable System Restore, to totally eliminate it. This is because these types of malware programs hook themselves into system files and locations, which are automatically backed up in System Restore Points. You may remove the threat and think it is gone, but, next time you reboot - System Restore will reinstall it! Sucks, don't it? Anyway, after turning off System Restore and disinfecting your computer thoroughly, you can turn it back on and set a new, clean restore point.

To disable or enable System Restore, right click on "My Computer" and choose "Properties." On the Properties sheet there is a tab labeled System Restore, which you should click on to open. In the System Restore property sheet there is a checkbox labeled "Turn off System Restore." Click in the box to select the option, click Apply, then acknowledge the pop-up challenge box, warning you that all restore points will be lost. Click Ok, to close the porperties sheets, then scan again, reboot, scan another time, then repeat the steps to goet to the System Restore sheet and uncheck the selection and Apply it. This will turn on System Restore again. Next, click on (All) Programs > Accessories > System Tools > System Restore and when the Restore Wizard opens, have it create a new Restore Point.

Next time you get a spam email inviting you to click on a link to view a video, or hear an mp3, don't do it and you won't have to go through this misery!

Links to legitimate anti virus programs and discount links