Email with subject “scan upon download” contains trojan

MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.

The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.

The body of the email:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

The following files are created:

%AppData%\av.exe
%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.

March 9, 2010
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Directory scam: Registration of the World Business Directory 2010/2011

MX Lab reported in 2009 about the misleading marketing trick that the World Business Directory uses. Guess what, they are back!

MX Lab received a new registration form from the World Business Directory and again, we want to point out a few things before you sign their contract.

The email comes from info@companyworld2010.com, with the subject “Registration of the World Business Directory 2010/2011″ and this is the email content:

Dear Madam/Sir,

In order to have your company registered in the World Business
Directory for 2010/2011, please print, complete and return the
enclosed form (PDF file) to the following address:

World Business Directory
Suite 149 – Rosden House – 372 Old Street
EC1V 9AU / London – United Kingdom
E-mail: office@companyworld2010.com
Fax: +44 207 806 8157

Updating is free of charge!

To unsubscribe, please send an email to
unsubscribe@companyworld2010.com

Attached is a PDF file named world-businessdirectory.pdf.

The 1st point that needs your attention is the text block 1:

To update your company profile, please print, complete and return
this form (Updating is free of charge). Only sign if you want to
place an insertion.

As you can read, updating is free of charge but if you want your company get listed in this directory you will need to sign and have to pay.

What is the price of this directory you may ask yourself? Well, you have to go to text block 2 with the very small letters and this includes:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS GBP 980.

And there you have it, this contract will cost your business a total amount of GBP 2940 over 3 years. After the 3 years subscription you can stop your contract if you inform them on time:

THE SUBSCRIPTION WILL BE AUTOMATICALLY EXTENDED EVERY YEAR FOR ANOTHER YEAR, UNLESS SPECIFIC WRITTEN NOTICE IS RECEIVED BY THE SERVICE PROVIDER OR THE SUBSCRIBER TWO MONTHS BEFORE THE EXPIRATION OF THE SUBSCRIPTION.

A few arguments from our side that this is a scam:

The from email address contains the domain companyworld2010.com and when trying to see if there is a site online we got the notification “This account has been suspended”. We might see new emails from the World Business Directory appear with other domains.

When getting some WHOIS information on the domain we got the following:

Registrant:
 international group c/o Free Private Reg
 P.O. Box 81024
 Burnaby, BC V5H 4K2
 CA

 Domain name: COMPANYWORLD2010.COM

 Administrative Contact:
    boot, cornelis  companyworld2010.com@freeprivateregistration.com
    P.O. Box 81024
    Burnaby, BC V5H 4K2
    CA
    852-3594-1708
 Technical Contact:
    Hostmaster, Domain  hostmaster@doteasy.com
    Suite 210 - 3602 Gilmore Way
    Burnaby, BC V5G 4W9
    CA
    (604) 434-4307    Fax: (604) 608-6832

 Registrar of Record: In2net Network Inc.
 Record last updated on 05-Mar-2010.
 Record expires on 05-Mar-2011.
 Record created on 05-Mar-2010.

 Domain servers in listed order:
    DNS8.DOTEASY.COM   65.61.199.14
    DNS7.DOTEASY.COM   65.61.198.14

 Domain status: clientTransferProhibited
                clientUpdateProhibited

The registrant information is rather vague and points to a PO Box and the administrative contact has the same address. The domain freeprivateregistration.com in the email address of the administrative contact is just a domain alias from doteasy.com. These details must be fake.

In 2009, the PDF document needed to be returned to an address in The Netherlands, in this 2010/2011 edition it needs to be returned to an address in London, UK.

When visiting their site at http://www.world-businessdirectory.com/ on the ‘About us’ page we found the following text:

The World Business Directory online is product of EU Business Services Ltd, a corporation organized and existing under the laws of Nevis, West Indies.

We also  found the UK address on the ‘Contact us’ page.

Our recommendation is: don’t sign the document and don’t do business with this company.

Follow these guidelines if  you are a victim of this directory scam:

  • Do not pay, even if they imply to take your case to court.
  • If you have paid a certain amount, stop the next payments. Expect that you won’t get a refund either.
  • Send them a letter informing them you have been misled and telling them to cancel the contract.
  • If possible, report to (local) authorities.

Additional information:

Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com

On the web site of Richard Corbett you can find some background information about directory scams and what to do when you are a victim of such a scam.

March 9, 2010
Categories: Various . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Web site creator hosts are being abused in spam campaigns

Spammers are not afraid to abuse community sites or blog creators like blogspot.com in their spam campaigns. In some cases, the content is published on these site or a redirect is embedded and forwards the visitor to the web site of their choice offering porn, pills and other stuff.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

March 6, 2010
Categories: Spam . Tags: . Author: mxlab . Comments: Leave a Comment

Email regarding Conflicker.B Infection Alert contains a trojan

MX Lab started to intercept emails with the subject “Conflicker.B Infection Alert”. The trojan is names Win32:Bredolab-CC (Avast), Generic Dropper.lr (McAfee) or Trojan.Win32.Bredolab.Gen.2 (Sunbelt).

The from address is spoofed and can contain “Microsoft Team”. The emails is signed by “Microsoft Windows Computer Safety Division” to make it appears that it is from Microsoft itself.

The email has the attachment open.zip and inside the ZIP archive the executable open.exe (16 kB).

As you can read, the email contains instructions to use the attached file to scan your network after an detected virus infection by the Conflicker worm.

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

At the time of writing, 21 of the 40 AV engines at Virus Total did detect the threat correctly. Our recommendation is that you never following instructions, send by email, like this one. Microsoft, or any other company, will spread security tools by email.

This trojan is a serious security risk because it will display fake alerts regarding a virus infection in order to lead you to buy rogue anti virus/anti spyware products. The trojan also has the capabilities to send out emails with a build-in SMTP engine.

A new windows will be created after executing the file open.exe:

The following files are created:

%CommonAppData%\28701826\28701826.exe
%DesktopDir%\Security Tool.lnk
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following directory is created:

%CommonAppData%\28701826

New processes are created:

_ex-08.exe in %Windir%\temp\_ex-08.exe
28701826.exe in C:\DOCUME~1\ALLUSE~1\APPLIC~1\28701826\28701826.exe

The Windows registry will be modified and the malware can open the TCP ports 1066 and 1067 ports on an infected system.

Connection to remote hosts (port 80):

221.150.130.37
94.102.50.131
95.143.192.40

Remote downloands:

* hxxp://221.150.130.37/qmbzxqbitqs.htm
* hxxp://221.150.130.37/gyxk.htm
* hxxp://221.150.130.37/xwxwkg.htm
* hxxp://94.102.50.131/in.php?affid=43400&url=5&win=Windows%20XP+2.0&sts=
* hxxp://95.143.192.40/pr/pic/sys.exe

Virus Total permlink and MD5: 76cf8a523c11f4d2ab86a7b99c89c9e0.

February 17, 2010
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: 1 Comment

Spam campaign from Canadian Pharmacy also contains web based threats

MX Lab detected several email based threats in a spam campaign from Canadian Pharmacy masked as an order confirmation of Amazon.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

February 15, 2010
Categories: Malware, Spam, Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Twitter, Google and Hi5 being abused in Prolaco worm distribution

Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm. The campaigns have the following characteristics. Note that the email addresses are spoofed.

The malware is known as Worm.Win32.Prolaco.gen (Sunbelt), Worm:Win32/Prolaco.gen!C (Microsoft) and Worm.Win32.Prolaco (Ikarus).

Twitter

From: <invitations@twitter.com>
Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

In this campaign, Twitter is being used to get the attachment clicked upon. The email instructs you to open the attachment to see who invited you on Twitter.

Google

From: <resume-thanks@google.com>
Subject: Thank you from Google!

Attachment: CV-20100120-112.zip (approx 348 kB)

Body of the email:

Google is thanking you for the resume that you send to them for an open position. To review your submitted application you should open the attachment, according to the instructions in the email.

Hi5

From: <invitations@hi5.com>
Subject: Jessica would like to be your friend on hi5!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

The social network Hi5 has been used in previous campaigns and also in phishing campaigns. This time you are invited to connect to Jessica and she has attached her invitation card for you to open.

Be aware, that when you connect to a person on Hi5, or want to follow a person on Twitter, you never have to download and install a piece of software, in these cases malware. All actions are done through their web sites so do not attempt to open the attachments in similar future campaigns.

About Prolaco:

Prolaco will create the following files on your system:

%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%System%\GoogleUpdater.exe

The following directories are created:

%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

The following services are modified:

ERSvc Error Reporting Service
“Stopped” %System%\svchost.exe -k netsvcs

wscsvc Security Center
“Stopped” %System%\svchost.exe -k netsvcs

The trojan will modify the Windows registry and can make UDP connections over port 1069 and 1070.

27 out of the 41 AV engines detect the Prolaco worm at the time of writing this article.

Virus Total permlink and MD5: c0464909947c92c07f5a91f9d675f03d

February 10, 2010
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

“updated account agreement” email contains Bredolab trojan

MX Lab started to intercept emails with the subject “updated account agreement” that contains the Bredolab trojan. The campaign is designed for Facebook users because of the content. The email comes from the spoofed email address and contains “Facebook Team”.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

February 10, 2010
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

Bredolab trojan on the move

MX Lab noticed an increase in intercepted Bredolab trojan variants that are spread by email. The Bredolab variants are distributed by different campaigns.

Do you like to find a girlfriend like me ?

One campaign has the subject “Do you like to find a girlfriend like me ?” and targets female singles in a certain way:

Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.

The email includes a ZIP archive named myphotos.zip which indicated that you will see some pictures. Instead the archive includes the file myphoto.exe which is the Bredolab trojan.

Virus Total permlink and MD5: 63936bfd3c1207ef3d2cce7b52d508da.

DHL Office. Please get your parcel NR.6161

The second campaign is the tradional failed package delivery style, in this case DHL coming from the spoofed email address <support@dhl.com>. Following subject are used:

DHL Office. Please get your parcel NR.6161
DHL Express. Please get your parcel NR.6161
DHL Express Services. You need to get a parcel NR. 3050
DHL International. You need to get a parcel NR. 3050
DHL Services. Please get your parcel NR. 1608
DHL Customer Services.  Please get your parcel NR. 3528

Body of the email:

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.

There is also a Spanish version of the campaign with the spoofed email address <support@dhl.es> with the subject “DHL servicios. Recibir parcela NR.82140″ and the email body:

Estimado Cliente

El mensajero de nuestra Compañía no pudo entregarle el envío en su domicilio.
Causa: Error en la indicación del domicilio de entrega.
Puede recibir su envío personalmente en la oficina de correos cercana a su domicilio.

Atención!
A esta carta se le adjunta una etiqueta postal. Usted debe imprimir la etiqueta para poder recibir el envío en la oficina de correos.

Gracias.
DHL servicios.

UPS Delivery Problem NR 66466.

The third campaign in also failed package delivery style but with UPS ‘branding’ from the spoofed from address <service@ups.com>. Subject is UPS Delivery Problem NR 66466 and and example of the body of the email:

Dear customer!

Unfortunately we were not able to deliver the package sent on the 24th of January in time
because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

The UPS and DHL trojans have the same MD5 are are the same variant. At the time of writting this article only 14 of the 40 AV engines pick up the trojan well.

Virus Total permlink and MD5:574f07d83aeae631834ff8279af8c1ed.

February 4, 2010
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Win a Macbook Air and get the trojan Obfuscator for free

MX Lab intercepted emails with the subject “Congratulation!!”. The message informs you that you have won an Apple MacBook Air and for more details you will need to open the attached file.

Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.

Seems tempting but by doing so you will in fact unleash the trojan VirTool:Win32/Obfuscator.HG (Microsoft) or Suspicious:W32/Malware!Online (F-Secure) on your system.

The attached file is named winner.zip, 45 kB large, and contains the 52 kB large executable winner.exe.

The trojan will create the following files:

%UserProfile%\reader_s.exe
%System%\reader_s.exe

New processes ware created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Windows registry modifications are done to make sure that the services run when the Windows boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%System%\reader_s.exe”
# [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%UserProfile%\reader_s.exe”

At the time of writing this article, only 8 of the 40 AV engines picked up the trojan when submitted to Virus Total so be carefull when receiving it. Virus Total permlink and MD5: 4ea90acf8a6427060f1a6d003dd3598f.

February 3, 2010
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

Email based update for Microsoft Outlook – Outlook Express contains trojan

MX Lab started to intercept messages with the subject “Update for Microsoft Outlook / Outlook Express (KB910721)”. These messages appear to come from the Microsoft Support department and contains instructions to install a new update for Microsoft Outlook / Outlook Express:

Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express

The email has the 12kB big ZIP archive named officexp-KB910721-FullFile-ENU.zip. The extracted file is the 24 kB big file officexp-KB910721-FullFile-ENU.exe.

This piece of malware is known as W32/SuspPack.BI.gen!Eldorado (F-Prot), W32/FakeAV.AM!genr (Norman) or Mal/FakeVirPk-A (Sophos).

It is generaly advised not to install software, updates or patches for Microsoft software or the operating system that is distributed by email. Microsoft will only offer updates and patches through the official Windows Update channel on the Windows system itself.

Virus Total permlink and MD5: 925ca736b931a745b064896927cf20bc

February 3, 2010
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

Previous page Next Page »