A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs.
Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – detected by 11 out of 48 antivirus scanners as W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto.org – 69.65.19.117
The following subdomains are also known to have phoned back to the same IP in that past:
1216289731481872.no-ip.info
128096312288.no-ip.info
130715253.no-ip.info
1364170516.hopto.org
1365606917.hopto.org
1365607817.hopto.org
1365608717.hopto.org
1365609617.hopto.org
1365611417.hopto.org
1365614117.hopto.org
1365615017.hopto.org
1365615917.hopto.org
1365617717.hopto.org
1365621317.hopto.org
1365622217.hopto.org
1365623117.hopto.org
1365624017.hopto.org
1365624917.hopto.org
1365625816.hopto.org
The following malicious MD5s are also known to have phoned back to the same domain/IP in the past:
MD5: f65f5b77b0c761e4b832c4c6eb160abe
MD5: 04d70ee87b53c6b72667a64c90310c6c
MD5: f9012d4c5b184bfce0d38fbe59ed5f01
MD5: e04211eebf720db3a3020894c8902d91
MD5: 8ee9dcaa13c43ef1c597e6602f13a18d
MD5: 0f0bd979a4653bd1dd3851c2401bd6f5
MD5: bed1f172fc063ef6ef6462694ec08b57
MD5: 6d91c5519d7e775026256a8a03c94298
MD5: cef1668439de2c59392207a1e5b694be
MD5: e3e1500f61974748524a9c6ec24fba20
MD5: db188979d05cc07b9a2f28c629f665e7
MD5: 8ae4171c1ff33d5f28073abc459084e5
MD5: 440205bed295ffbcb7e8a97ba7fafe5f
MD5: 9454f19a4a4f8132eb67b8333a1c685b
MD5: 18ffaf17b6144fbd2557574b450b6890
MD5: 06a610c631b723ab818d9fc14ff462d1
MD5: c1133b01880db299f4b598bd04fc6816
Webroot SecureAnywhere users are proactively protected from these threats.