IPLOGS -- Let Them Wait for a Reply

A recent wave of spam seems to have hit users in the U.S. and Germany with a theme playing on end users' confusion regarding software security. This one has the subject line "I am wait your reply" and starts "I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!", attempting to convince the user to extract the attached "IPLOGS.zip" file and run IPLOGS.exe, because "I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault !!!!!!" Threats that action will be taken and police contacted are all phony.



This file is not a log of online activity, the file is known to carry a banking password stealer.

Anytime an unexpected email arrives with instructions like these, your suspicions should be raised. It is a cheap con job at best.

The iplogs.exe dropper is packed and maintains an interesting list of anti-debug tricks. It attacks a couple of well-known commercial firewalls, in order to gain outbound access. It copies itself to the system32 directory as 'oembios.exe', adding a couple kilobytes of encrypted data.
The code also drops a system driver as sysproc86.sys and loads it into kernel space. Once loaded, this code then removes itself from the loaded module list but modifies the OS to hide dropped files and startup registry entries.