UPS Tracking number trojan – new variant

July 21, 2008 37 Comments

Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus Version Last Update Result
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 -
Authentium 5.1.0.4 2008.07.21 -
Avast 4.8.1195.0 2008.07.21 -
AVG 8.0.0.130 2008.07.21 -
BitDefender 7.2 2008.07.21 -
CAT-QuickHeal 9.50 2008.07.21 -
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 -
eSafe 7.0.17.0 2008.07.21 Suspicious File
eTrust-Vet 31.6.5971 2008.07.21 -
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 -
F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 -
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5343 2008.07.21 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 -
Panda 9.0.0.4 2008.07.21 -
PCTools 4.4.2.0 2008.07.21 -
Prevx1 V2 2008.07.22 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2
VirusBuster 4.5.11.0 2008.07.21 -
Webwasher-Gateway 6.6.2 2008.07.21 -

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

Filed under Viruses Tagged with , , , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers