Western Union MTCN trojan

August 27, 2008 by mxlab 10 Comments

MX Lab just interceped a bunch of emails from Western Union claiming that your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service. Sound really scarry at first.

The senders address is spoofed and random, the subject contains “Western Union MTCN #5993705206″. The numbers and even the subject itself can change during the distribution later on.

The content of the email:

Hello!

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 42976 since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at http://www.westernunion.com

Thank you!

First of all, the senders address and the first paragraph of the email must identify this emails as suspicious and dangerous. Did you send a wire to someone in Russia, lately? The chance is quite small I think.

Furthermore, an invoice in a Zip archive that is an executable. Even if your anti virus engine isn’t up to date yet, it should be clear to anyone that this is a virus. Only one anti virus engine, Sophos, detects the trojan at the moment so be carefull.

And yes, our ZBot trojan is back again as a new variant. It’s a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Some files are created on your system like %System%\oembios.exe (it’s alias is Mal/EncPk-CZ [Sophos]PWS:Win32/Zbot.gen!B [Microsoft]).

The folder %System%\sysproc64 will be created for %System%\sysproc64\sysproc32.sys and %System%\sysproc64\sysproc86.sys. Windows registry is being modified and a connection to an external IP on port 80 is being made to with a GET request bone/no.bin.

Virus Total permalink and MD5: 07b8c31d8519f04103cde011d24c82ec.

Filed under Viruses Tagged with , , , ,

Windows Vista update through malware Flash swf file

August 27, 2008 by mxlab 1 Comment

An email with the subject “RE: ® Official Update 2008!” is trying to attract your attention to a new Windows XP/Vista update. The email message contains a large title “Free Update Windows XP, Vista” with an URL.

Following the link leads to an hosted .swf file, a Flash animation, that is hosted at imageshack.us.

The file itself is of course malware so be aware not to follow the link, download or execute the install.exe file.

Filed under Viruses Tagged with , , , , , , , ,

New FedEx Tracking number trojan outbreak

August 20, 2008 by mxlab 17 Comments

MX Lab has detected and intercepted a new outbreak of the FedEx Tracking number trojan. It appears to be a variant

 Subject is now “FedEx Tracking N_2545362053″ – where the number is random. The From address is spoofed and is not an official FedEx email address. So this email is easy to detect and when looking at the email from and body you should be able to identify this as suspicious.

The messages contains:

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX

The attached malware is in a zip file named WD6128922.zip and contains the executable with file name WD6128922.exe.

As a reminder, FedEx will never give you tracking information in this way. All tracking regarding shipments is done on their web site. And if something went wrong, FedEx won’t send out an email with a Zip file attached.

The file is submitted to Virus Total at around 1:30 PM CET. MX Lab submitted the file for analysis around 9:17 PM CET and only 9 anti virus engines detect this variant. So be carefull not to open the zip file and especially don’t start the executable. Virus Total permalink and MD5: df73c2b3562ef157c10ba1a16b4c8885.

Filed under Viruses Tagged with , , , ,

msnbc.com – BREAKING NEWS

August 13, 2008 by mxlab 4 Comments

If you have received a similar message like the one below, please be advised that this is a new version of the “CNN trojan” that is reported earlier on the MX Lab blog.

Subject start with msnbc.com – BREAKING NEWS and can contain the following:

Google launches free music downloads in China
Plane crashes into prep school, hundreds of kids killed
Please give your opinions for change
US Dollar hits 6-year high, further gains expected
….. and many more 

The URL leads you to a web site where you can view the CNN video report but instead asks you to download a suitable Flash player – the file adobe_flash.exe file – that is in fact a trojan. The URL in question can be anything and changes a lot. We also noticed that in some messages IP addresses are being used.

msnbc.com: BREAKING NEWS: Google launches free music downloads in China

Find out more at http://breakingnews.msnbc.com <http://www.***********.com/up.html>
======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.

=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/50903113 <http://www.msnbc.msn.com/id/36611396> , select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/> <http://privacy.msn.com/> ) 

Filed under Viruses Tagged with , , , , ,

FedEx Tracking number trojan

August 9, 2008 by mxlab 19 Comments

MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.

The content of the email has the same characteristics as the UPS trojan:

Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your FedEx

The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.

Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.

Filed under Viruses Tagged with , , , ,

CNN Alerts: My Custom Alert malware

August 8, 2008 by mxlab 43 Comments

After a very long outbreak based on the CNN Dailty Top 10 it’s now time for something different: CNN Alerts: My Custom Alert. This new version brings more of the CNN malware outbreak in a changed lay out but with the same tactics.

Again, the email itself is very nice CNN branded but contains a link that leads you directly to the malware. The senders address is spoofed and is not coming from cnn.com but this is not guaranteed for the future.

The link behind Full Story - so don’t click on this one – brings you to a, in this case, Russian web site where you need to download the proper Flash player to view the video. When you accept the malware file adobe_flash.exe is downloaded.

The trojan has the same specs of the CNN Daily Top 10: Trojan-Downloader.Agent.EL. This trojan will create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

Filed under Viruses Tagged with , , , , , , ,

Download Internet Explorer 7 – don’t do it!

August 6, 2008 by mxlab 4 Comments

Don’t believe the message that you receive from admin@microsoft.com with the subject ‘Internet Explorer 7′ to download the latest version of Internet Explorer.

It will bring you the Trojan-Downloader.Win32.Small.aafh (Kaspersky Lab), ]Trojan.Dropper (Symantec), TROJ_RENOS.ADX (Trend Micro), Troj/FakeAle-EF (Sophos) or TrojanDownloader:Win32/Renos.DI (Microsoft).

Download the latest version!

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the “Unsubscribe” link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers’ content nor any of the goods or service advertised. Prices and item availability subject to change without notice.
©2008 Microsoft | Unsubscribe | More Newsletters | Privacy
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

All updates and new versions of Internet Explorer are only available through the Windows Update channel.

Filed under Viruses Tagged with , , , ,

Windows Live Spaces in spam

August 5, 2008 by mxlab 1 Comment

Spammers have found a new victim. After the use of Google URLs spammers now use Windows Live Spaces in their spam campaigns.

Superior Relief Offers

http://************.spaces.live.com/default.aspx

your boss told you
so that you can spend 
Lusia R., New York

Following the link in the spam messages leads to a Windows Live Space with spam for “all kinds of meds” with a link to the Discount Pharmacy.

Filed under Spam Tagged with ,

Angelina Jolie

August 5, 2008 by mxlab 2 Comments

About an hour ago, a new variant of the Angelina Jolie mailware emails has been intercepted. She is still very popular when it comes to malware.

Some previous emails regarding the Jolie video included an URL to a web site where a malware file was hosted named video-anjelina.avi.exe, video-nude-anjelina.avi.exe or something similar.

This time there is an attached file Angelina_Jolie.rar that contains Angelina_Jolie.exe to the email. The .rar archive is password protected and the password is included in the email. This is somehow good news so you can’t double click and execute the malware by accident.

Virus Total permalink and MD5: 672b90f8297836e6bdc6549ae7425346.

The subject is most of the time Anjelina Jolie Free Video but can change of course.

This malware has a low threat profile but makes connections to remote hosts. It is assumed that the real infection will be done with these downloaded files. The backdoor component allows the remote hacker to download/install additional components. On one of the remote hosts the file video-nude-anjelina.avi.exe is downloaded.

Only 2 engines of the 36 detect that this file is not to be trusted. Virus Total permalink and MD5: 785a11b9eef80dce6810ee6f1ada5adc.

Filed under Viruses Tagged with , , ,

CNN Daily Top 10 leads users to site hosting malware

August 4, 2008 by mxlab 117 Comments

Following the links in the CNN.com Daily Top 10 email could lead you to sites that hosts malware. MX Lab detected and intercepted the first messages at around 7:48 PM local Belgian time and is monitoring an outbreak of this type.

Malware authors are abusing CNN by using the logo, the lay out and the concept of the CNN Daily Top 10 to distribute emails with URLs that point to sites that host malware.

The messages itself is sent from a random generated user email address not on the cnn.com domain. The links behind the top 10 directs you to a web site that should show you the video but instead gives you an error that an incorrect Flash player is installed.

A pop up window will ask you to download the correct video codec, an executable called get_flash_update.exe, but this is in fact the Trojan-Downloader.Agent.EL. This trojan ca an download and installs other malware onto infected machine.

This trojan will in fact create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

Virus Total permalink and MD5: dabb5a9b431c88c77281bcf1158a9879.

Remark: CNN is not responsible for the CNN Daily Top 10 that contained URLs to sites that host malware in the form of a downloadable Flash codec.

Filed under Viruses Tagged with , , , , , , , , , ,

Older posts