Select Page

If you or your relatives wander onto a site claiming to be a genuine Kodak website, you might want to think twice before downloading any executables.

Here’s an example of a site located at kodak-webgallery(dot)com, which is currently offline:

Gallery Downloads
Click to Enlarge

The message at the top reads: “New shared photos! You have received some new pictures, to view them simply click the button below”. Hitting the button launches a “Slideshow”, which is actually an executable file that the end-user is asked to download and run.

Doing so opens up a set of photographs taken of a rather large truck from different angles:

Click to Enlarge

After executing the file, the folder WINDOWSsystem3269821772 was created containing various configuration files. Additionally, sijgzxel.exe and fvwtmkry.exe were copied to the System32 Folder itself.

Config files

The final piece of the puzzle are references to an email address, EBay, EBay motors and various other EBay domains (along with the non-Ebay in the process dumps we generated while testing.

It looks like a blast from the past called Trojan.Bayrob has risen from the grave to cause problems for big moneyspenders on eBay. It seems to come around every so often – here’s an attack from 2007 and here’s one from 2008 – and now someone has decided to spam it out from a fake Kodak domain registered via a privacy service.

Bayrob is a nasty little thing, spoofing pages from eBay and other sites to fool the end-user into handing over bundles of cash. Motor buyers are a popular target, hence the reason why many of these attacks tend to involve car photo slideshows. The Trojan can have a devastating impact – here’s a victim who was fleeced out of $8,600 by scammers.

To coin a phrase: whoops.

We detect this one as Win32.Malware!Drop. Detection rates are very low, currently clocking in at 5/43 so be careful out there and don’t be fooled by random photograph galleries. There’s no way to tell if these fake Kodak sites are currently being pimped by automated spam programs, random chatroom links, infected PCs or strange flashing lights in the sky so always check with a known contact if they suddenly want you to check out their new car pictures.

It might cost you a bit more than a tyre change and a new air freshener…

Christopher Boyd (Thanks to Adam Thomas for additional research).