Bredolab trojan on the move

MX Lab noticed an increase in intercepted Bredolab trojan variants that are spread by email. The Bredolab variants are distributed by different campaigns.

Do you like to find a girlfriend like me ?

One campaign has the subject “Do you like to find a girlfriend like me ?” and targets female singles in a certain way:

Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.

The email includes a ZIP archive named myphotos.zip which indicated that you will see some pictures. Instead the archive includes the file myphoto.exe which is the Bredolab trojan.

Virus Total permlink and MD5: 63936bfd3c1207ef3d2cce7b52d508da.

DHL Office. Please get your parcel NR.6161

The second campaign is the tradional failed package delivery style, in this case DHL coming from the spoofed email address <support@dhl.com>. Following subject are used:

DHL Office. Please get your parcel NR.6161
DHL Express. Please get your parcel NR.6161
DHL Express Services. You need to get a parcel NR. 3050
DHL International. You need to get a parcel NR. 3050
DHL Services. Please get your parcel NR. 1608
DHL Customer Services.  Please get your parcel NR. 3528

Body of the email:

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.

There is also a Spanish version of the campaign with the spoofed email address <support@dhl.es> with the subject “DHL servicios. Recibir parcela NR.82140″ and the email body:

Estimado Cliente

El mensajero de nuestra Compañía no pudo entregarle el envío en su domicilio.
Causa: Error en la indicación del domicilio de entrega.
Puede recibir su envío personalmente en la oficina de correos cercana a su domicilio.

Atención!
A esta carta se le adjunta una etiqueta postal. Usted debe imprimir la etiqueta para poder recibir el envío en la oficina de correos.

Gracias.
DHL servicios.

UPS Delivery Problem NR 66466.

The third campaign in also failed package delivery style but with UPS ‘branding’ from the spoofed from address <service@ups.com>. Subject is UPS Delivery Problem NR 66466 and and example of the body of the email:

Dear customer!

Unfortunately we were not able to deliver the package sent on the 24th of January in time
because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

The UPS and DHL trojans have the same MD5 are are the same variant. At the time of writting this article only 14 of the 40 AV engines pick up the trojan well.

Virus Total permlink and MD5:574f07d83aeae631834ff8279af8c1ed.

February 4, 2010
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Win a Macbook Air and get the trojan Obfuscator for free

MX Lab intercepted emails with the subject “Congratulation!!”. The message informs you that you have won an Apple MacBook Air and for more details you will need to open the attached file.

Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.

Seems tempting but by doing so you will in fact unleash the trojan VirTool:Win32/Obfuscator.HG (Microsoft) or Suspicious:W32/Malware!Online (F-Secure) on your system.

The attached file is named winner.zip, 45 kB large, and contains the 52 kB large executable winner.exe.

The trojan will create the following files:

%UserProfile%\reader_s.exe
%System%\reader_s.exe

New processes ware created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Windows registry modifications are done to make sure that the services run when the Windows boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%System%\reader_s.exe”
# [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%UserProfile%\reader_s.exe”

At the time of writing this article, only 8 of the 40 AV engines picked up the trojan when submitted to Virus Total so be carefull when receiving it. Virus Total permlink and MD5: 4ea90acf8a6427060f1a6d003dd3598f.

February 3, 2010
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

Email based update for Microsoft Outlook – Outlook Express contains trojan

MX Lab started to intercept messages with the subject “Update for Microsoft Outlook / Outlook Express (KB910721)”. These messages appear to come from the Microsoft Support department and contains instructions to install a new update for Microsoft Outlook / Outlook Express:

Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express

The email has the 12kB big ZIP archive named officexp-KB910721-FullFile-ENU.zip. The extracted file is the 24 kB big file officexp-KB910721-FullFile-ENU.exe.

This piece of malware is known as W32/SuspPack.BI.gen!Eldorado (F-Prot), W32/FakeAV.AM!genr (Norman) or Mal/FakeVirPk-A (Sophos).

It is generaly advised not to install software, updates or patches for Microsoft software or the operating system that is distributed by email. Microsoft will only offer updates and patches through the official Windows Update channel on the Windows system itself.

Virus Total permlink and MD5: 925ca736b931a745b064896927cf20bc

February 3, 2010
Categories: Viruses . Tags: , , . Author: mxlab . Comments: Leave a Comment

ZBot trojan aims AIM users

MX Lab intercepted a few emails regarding AOL Instant Messenger accounts but in fact, the included URL leads to a web site that hosts malware. The malware is know as Trojan-Spy.Win32.Zbot.gen (Kaspersky), PWS:Win32/Zbot.gen!R (Microsoft) or Trojan.Zbot!gen3 (Symantec).

The email comes from the spoofed address AIM <no_reply_instant_messenger@aol.com> with possible subjects like:

Your AIM account is flagged as inactive
Your AIM account will be deleted
YourAOL Instant Messenger account will be deleted

Body of the email:

Dear AOL Instant Messenger user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link . This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

The email contains the link to the web site hxxp://update.aol.com.terfkiof.net.pl/products/aimController.php?code=2902***&email=***r@r***.com. Note: it is possible that other links are being used in this campaign.

This web site informs you to download the file aimupdate_7.1.6.475.exe (size: 128 kB). When executed you will infect your computer with ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system, along with a hidden directory %System%\lowsec and the hidden files: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll

The trojan can request data from the following URLs:

* http://nekovo.ru/cbd/nekovo.bri
* http://nekovo.ru/ip.php

Virus Total permlink and MD5: d267e1ccc1a30134ab965fcaa39d145c. At the time of writing, only 9 of the 41 AV engines did detect the trojan. Our recommendation is therefore not to follow the URL and certainly not to download and install this so called AIM update.

January 21, 2010
Categories: Various, Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

New Bredolab trojan variants in DHL and UPS tracking emails

MX Lab intercepted several email messages with new Bredolab trojan variants in the traditional style: emails regarding the tracking of a parcel. We noticed new campaigns using the DHL and UPS tracking style. We will cover them both in this article at the same time.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** <services@ups.com> (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** <services@dhl.com> (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

January 19, 2010
Categories: Viruses . Tags: , , , , , . Author: mxlab . Comments: 7 Comments

New Bredolab variant targets MySpace users with MySpace Password Reset email

MX Lab detected a new virus campaign containing a new Bredolab variant. The campaign has the same characteristics as the Facebook Password Reset email campaign. The trojan listens to the name Win32:Bredolab-BL (Avast) or W32/Bredolab!Generic2 (F-Prot).

The email is send from the spoofed address <confirmation@myspace.com> and has the subjects:

MySpace Password Reset Confirmation!
MySpace Password Reset Confirmation! Order NR.4648.

The number at the end of the subject is choosen randomly and can change in case the subject contains an Order NR.

Body of the email:

Hey a ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

The attached document is named MySpace_document_10081.zip and contains the 36 kB big MySpace_document_10081.exe executable.

Virus Total permlink and MD5: cfd05a493ccab7d5928ba9bf7dec3d16.

January 8, 2010
Categories: Viruses . Tags: , , , , , . Author: mxlab . Comments: Leave a Comment

SpamAssassin 2010 bug caused by “old” rule

SpamAssassin, a tool that is widely used as open-source anti spam detection system, had an issue on Janaury 1, 2010 with a rule that compares the date of an email message to detect emails from the future which could be an indicator of spam.

For the readers that are not familiar with SpamAssassin here is a brief explanation on how SpamAssassin works. SpamAssassin will check each incoming message and will check the message based on rules. These rules contains information on what to search for and defines a score when a similarity is found.

The rule FH_DATE_PAST_20XX checks if a message is sent in the near future and will increase the score  with 3.2 points if this is true. Apparently, the search date was 01-01-2010.

This caused that all messages had an increased score by 3.2 by default. Combined with other rules, the score per message can increase further and eventually the message can be labeled as spam by SpamAssassin, depending on the configuration, that leads to many false positives.

The date for the rule has been changed to 01-01-2020 according to the SpamAssassin Wiki.

More information:

Mike Cardwell Blog
IT Slashdot

I do hope that the SpamAssassin admins change the rule on time to avoid a 2020 bug in their rule set.

In case you’re wondering…. no, MX Lab does not use SpamAssassin so our services were not affected by this issue.

January 5, 2010
Categories: Various . Tags: . Author: mxlab . Comments: Leave a Comment

Best wishes for 2010

We also would like to use the opportunity to thank all the readers of the MX Lab blog for their visits on our blog and the posted comments. We are commited to contribute further in email security related articles and we will also use Twitter to inform about email based threats and certain aspects of our business.

MX Lab wishes everyone a virus and spam-free 2010.

January 1, 2010
Categories: Various . . Author: mxlab . Comments: Leave a Comment

Christmas malware SantasGift.exe

It is a tradition that at the end of the year new email threats emerge, more spam is going around and also for this year we expect to face new threats.

MX Lab started to intercept messages with the subject line “Jingle bells, jingle bells.. Ho ho ho Santa Claus is coming!!”. The message contains an URL that leads to a web site that hosts malware named SantasGift.exe.

The malware is known as Trojan.IRC.Zapchast-16 (ClamAV), Dropped:Backdoor.Zapchast.PI (BitDefender), Backdoor.Zapchast.PF (F-Secure) or Backdoor.IRC.Zapchast.zwrc (Kaspersky).

Virus Total permlink and MD5: ef1982df5c01b62b3fa66daa8115946e

December 14, 2009
Categories: Malware, Viruses . Tags: , , , , . Author: mxlab . Comments: 1 Comment

Facebook subject to campaign that combines phishing and malware

MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

December 8, 2009
Categories: Phishing, Viruses . Tags: , , , , . Author: mxlab . Comments: 2 Comments

Previous page Next Page »