Flash being used in spam emails

July 30, 2008 by mxlab Leave a Comment

Spammers often include links in their messages directing to web sites. These links are most of the time in the form of a URL including .html, .htm, .asp, .php or something similar.

A new spam trick includes now to include an URL directing to an Flash animation with the .swf extension. Most browsers will play the Flash movie even if this one isn’t embedded in an .html page.

The Flash contains no animation but a redirect to a web site with the spammers offer.

Commtouch reports that the messages arrived in small quantities on Saturday, and by Monday, July 28, had become a massive outbreak. 7000 URLs have been created and used in millions of spam messages.

Filed under Email security, Spam Tagged with , , ,

Malware round up, for now

July 30, 2008 by mxlab 3 Comments

The UPS trojan and malware that was distributed by an email was one of the latest highlights. In more than one occasion the attached zip was was extracted, openen and the trojan was executed. Anti virus engines had all the troubles to keep up-to-date and to provide some real protection.

Commtouch, our technology partner, have provided us with a graphic when the UPS trojan outbreaks appear per day based on the ups_invoice.exe  attachment.

As we also reported on this blog, the malware was send out in so called bursts: many emails with the virus in a short time. In the graph you can see when some massive waves or bursts occured. By sending out viruses in burst you can have a better result regarding infections because you can reach many unprotected computers in a short time frame.

At the moment things have cooled down a bit but since this afternoon we see the variant ‘Buy your ticket online’ appear in our messages logs. This story isn’t over yet and we keep our eyes open.

Filed under Viruses Tagged with , , ,

Email pollution and spam to think about

July 26, 2008 by mxlab 2 Comments

MX Lab intercepts most of the time spam that tries to sell OEM software at very low prices, viagra and all kinds of drugs, replica watches, recommends to by stocks and so on.

From time to time we see spam campaigns that seems to have no real meaning and don’t take you to a web site with some great offers. This weekend we get a lot of this kind of spam. Some examples.

gorse yelp albuquerque

emanuel botulin competitor? masturbate, lapelled lapelled.
rout combatted prussia podge camelopard exult, lampoon
laureate sonogram camelopard stinkpot foxhall.

competitor masturbate.

agony elaborate proserpine

proserpine assai percept? holster, edelweiss vile.
nationwide trash brittle rifle orwell somerville, rifle
hanna ileum agony orwell drum.

fallacy ribonucleic.

Some other great readings:

“There are certain queer times and occasions in this strange mixed affair we call life when a man takes the whole universe for a vast practical joke.” Herman Melville

“This was love at first sight, love everlasting: a feeling unknown, unhoped for, unexpected–in so far as it could be a matter of conscious awareness; it took entire possession of him, and he understood, with joyous amazement, that this was for life.” Charles Augustus Lindbergh

“It is in our lives and not our words that our religion must be read.” Thomas Jefferson

This one is very nice. It really makes you think.

“And in the end it’s not the years in your life that count. It’s the life in your years.” Abraham Lincoln

Filed under Spam Tagged with

ZBot trojan attached to contract

July 26, 2008 by mxlab 1 Comment

A new variant of the ZBot trojan is attached to an email with your contract details. Possible subject lines are:

Contract of settlements
Contract of retirements
Permit for retirement
Loan contract

The contents of the message:

Dear customers,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract. If necessary, we can send it by fax. 

Looking forward to your decision.
Israel Bender

Virus Total permalink and MD5 hash: c0a907c8bf64d60bec0cce934ca60a34

Filed under Viruses Tagged with , , , , , , , , ,

ZBot trojan attached to flight ticket confirmation

July 25, 2008 by mxlab 18 Comments

A new variant of the ZBot trojan is attached to a flight ticket confirmation email. Possible subject lines are:

Your order N9708902
Online order for ticket N688610
Online order for airplane ticket N688610
Your ticket from {airlines} N3076437
Your ticket from {airlines}
Your airplane ticket

The contents of the message:

Good day,

Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:

Your login: Chapmanavance
Your password: passMWS8

Your credit card has been charged for $405.36.

We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,

Rusty Doherty
Delta Air Lines

Attachments are .zip files with filename E-ticket_N7399294.zip (random number) with inside a E-ticket_N7399294_and_Invoice_for_N73992943442.exe.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/alaska/alaska.bin. It opens random TCP ports in order to provide backdoor capabilities.

Virus Total permalink and the MD5 hash: e3254936ed358457ed303529e7c2fa8f.

Filed under Viruses Tagged with , , , ,

“Parcel requires declaration” virus

July 24, 2008 by mxlab 5 Comments

The UPS Trojan has changed its characteristics but the general concept remains the same. An email that is sent from the customs regarding a parcel that is awaiting delivery for you. Attached a .zip file with malware.

The email comes with one of these subject lines:

Your parcel is at the customs office
Parcel requires declaration
Customs, please read
Customs – We have received a percel for you

The contents of the email:

Hello,
We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
Kind regards,
Aileen Solis
Your Customs Service

The email has the Bill_Tax.zip file attached with inside the archive Bill_Tax___________________________N89798742344.exe which is the same ZBot trojan. Virus Total report. Only 3 engines detect this one so don’t open the file if you receive the email!

Filed under Viruses Tagged with , , , , ,

UPS Tracking number trojan – another variant and Hallmark e-card

July 23, 2008 by mxlab 5 Comments

There is a new variant of the UPS Tracking number trojan on route. The subject is now “[RE] UPS Tracking Number 7056968807″ but the contents remains the same. The URL that is used by the trojan is slightly different, the host remails the same, the folder structure and the .bin file on the site is different: http://***********.ru/offshore/denis.bin. The number in the subject and file can be random.

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

Filed under Spam, Viruses Tagged with , , , , , , , , ,

4 years prison for ‘Spam King’

July 23, 2008 by mxlab Leave a Comment

In July 2007 Robert Soloway was arrested for sending out massive spam campaigns. Today, the spammer gets a 47-month sentence in prison and a $700,004 in restitution for the profits he made from his spam operation according to an article in Komonews. ”I take full responsibility for this. I sent out a lot of spam,” Soloway said in court.

Filed under Spam Tagged with , , , , ,

UPS Tracking number trojan – new variant

July 21, 2008 by mxlab 36 Comments

Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus Version Last Update Result
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 -
Authentium 5.1.0.4 2008.07.21 -
Avast 4.8.1195.0 2008.07.21 -
AVG 8.0.0.130 2008.07.21 -
BitDefender 7.2 2008.07.21 -
CAT-QuickHeal 9.50 2008.07.21 -
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 -
eSafe 7.0.17.0 2008.07.21 Suspicious File
eTrust-Vet 31.6.5971 2008.07.21 -
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 -
F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 -
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5343 2008.07.21 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 -
Panda 9.0.0.4 2008.07.21 -
PCTools 4.4.2.0 2008.07.21 -
Prevx1 V2 2008.07.22 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2
VirusBuster 4.5.11.0 2008.07.21 -
Webwasher-Gateway 6.6.2 2008.07.21 -

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

Filed under Viruses Tagged with , , , , , , ,

UPS Tracking number trojan

July 20, 2008 by mxlab 46 Comments

When you receive an email from UPS regarding a package that can’t be delivered due to an incorrect recipients address you better watch out. The chance is very likely that this is a new variant of a trojan trying to get your attention and to infect your computer.

 null

The messages contains the text:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file.  This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.

Here are the complete results from Virus Total:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.1.11 2008.07.20 -
Authentium 5.1.0.4 2008.07.20 W32/Agent.HFN
Avast 4.8.1195.0 2008.07.20 -
AVG 8.0.0.130 2008.07.19 Dropper.Generic.VGK
BitDefender 7.2 2008.07.20 -
CAT-QuickHeal 9.50 2008.07.18 -
ClamAV 0.93.1 2008.07.20 -
DrWeb 4.44.0.09170 2008.07.20 -
eSafe 7.0.17.0 2008.07.20 Suspicious File
eTrust-Vet 31.6.5966 2008.07.18 -
Ewido 4.0 2008.07.20 -
F-Prot 4.4.4.56 2008.07.20 W32/Agent.HFN
F-Secure 7.60.13501.0 2008.07.20 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.20 -
GData 2.0.7306.1023 2008.07.20 -
Ikarus T3.1.1.34.0 2008.07.20 Trojan-Dropper.Win32.Delf.aef
Kaspersky 7.0.0.125 2008.07.20 -
McAfee 5342 2008.07.18 -
Microsoft 1.3704 2008.07.20 -
NOD32v2 3282 2008.07.19 -
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.20 -
Prevx1 V2 2008.07.20 -
Rising 20.53.62.00 2008.07.20 -
Sophos 4.31.0 2008.07.20 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.20 -
TheHacker 6.2.96.385 2008.07.19 -
TrendMicro 8.700.0.1004 2008.07.18 -
VBA32 3.12.8.1 2008.07.20 -
VirusBuster 4.5.11.0 2008.07.19 Packed/Pohernah
Webwasher-Gateway 6.6.2 2008.07.20 Win32.Malware.gen#ASPack (suspicious)

Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.

Filed under Viruses Tagged with , , , , , , ,

Older posts