The Best Book virus

September 30, 2008 by mxlab Leave a Comment

MX Lab has intercepted a few samples of an email containing a virus in an Approved.zip. The email can contain following subjects:

The Best Book
Excellent Book
Magnificent Book
Splendid Book
Amazing Book

The messages contains the following content:

Hello Friend,

Your new book has brought a lot of excitement to our editorial staff. It’s certainly this year’s best in its genre. You seem to never going to quit surprising us. We have made a contract with you and guarantee that the first edition will total at least 10 million copies.

Enclosed is the approved and edited copy of your amazing book. Thank you for this paragon of beauty.

Please get in touch with us at your earliest convenience.

Untill we meet again

Like some other nasty viruses this one isn’t been detected a lot. Only 10 anti virus engines detect this one as Trojan.Win32.Agent.afer (F-Secure), Trojan.Downloader-56258 (Clam-AV) or Troj/Agent-HTZ (Sophos). Virus Total permalink and MD5: 2102201e29368e0fa99ab5551f5ce9d2.

Filed under Viruses Tagged with , ,

Innovative income-generation system

September 22, 2008 by mxlab 7 Comments

When you receive a message with a subject “Innovative income-generation system which YOU ordered” with the Unique Income Generation Toolkit (UIGT) and the file Instruction.zip attached to it, do not fall for it. the virus is know as Worm.Win32.AutoRun.ohz by Kaspersky or the Trojan.Kobcka.FR by Bitdefender.

Dear Valued Customer,

Order ID: 74347
Order Total: $59.99

Description: Innovative income-generation system

We are sending you the Unique Income Generation Toolkit (UIGT) developed by the Institute of Innovative Business and Financial Technologies (IIBFT), which you ordered on 9/21/2008.

Your unique UIGT activation code is: DAAAA3E5-B6

Please take a look at the instruction and get acquainted with the activation system, which is strictly confidential.

Please find the list of the company‚s addresses and phone numbers along with further information on UIGT in the enclosed instruction.

______________________________

If you believe this message has reached you by mistake, please contact the support service via phone or e-mail provided in the same instruction.

Respectfully,
Manager (IIBFT)
Andrew Long

The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debugger’ can then be run everytime an application is started on an infected computer

the file %ProgramFiles%\Microsoft Common\wuauclt.exe is created, Windows registry will be modified and connection can be made by the virus to servers on the internet http://*****.ru/ld.php?v=1&rs=13441600&n=1&uid=1.

MX Lab has intercepted a few samples of this virus but there’s no outbreak – at least on our systems and at this time of writing – but only 9 of the 36 anti virus engines do detect the virus so it’s important not to open the attachement and run the exe.

Virus Total permlink and MD5: 2ddc320f9b9e1302696166e8372072ba.

Filed under Various Tagged with , ,

Infosecurity has choosen MX Lab as best performing hosted email security provider

September 16, 2008 by mxlab 8 Comments

Array publications, from the Netherlands, has published a test of 8 hosted email security providers in their magazine Infosecurity, edition 3, September 2008.

Among the tested email security providers are ABO-IT Hosted F-Secure Messaging Security Gateway, Kaspersky Hosted Security Services, MessageLabs Email Services, SPAMfighter, Symantec Hosted Mail Security, Trend Micro Interscan Messaging Hosted Security and Uniserver E-mailhosting.

Infosecurity concludes “We where impressed by MX Lab. This service has the best score of all tested services with 0,67 spam mails per user per day without any false positives.”

Filed under MX Lab News Tagged with , , , , , , , ,

Your internet access is going to get suspended virus

September 11, 2008 by mxlab 97 Comments

A new virus variant is being distributed with the subject “Your internet access is going to get suspended” and contains the following message:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.

We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from You can check the report of your activities in the past 6 month that we have attached.

We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

The message contains a zip file named user-EA49943X-activities.zip and after extracting the file is user-EA49943X-activities.exe. File names can be different with each email.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

Only 8 of the 36 anti virus engines detect this one. F-Secure recognise it as Suspicious:W32/Malware!Gemini, TrendMicro as PAK_Generic.001, AVG as SHeur.CIKH.

Virus Total permalink and MD5: 6ba40e29db8fb6f9145fde7a45708875.

Filed under Viruses Tagged with , , , , , , ,

MX Lab offers Unified Communications Protection

September 11, 2008 by mxlab Leave a Comment

MX Lab offers Unified Communications Protection based on FaceTime’s Unified Security Gateway (USG) appliance that allows enterprises to communicate and collaborate in a save environment without sacrificing security and control.

Combined with the in house developed and managed MX Lab Zero Hour Anti Virus & Anti Spam services offers an complete solution for your business communication wether it’s email, web, IM, Skype.

Read the press release MX Lab offers Unified Communications Protection at the MX Lab web site

Filed under MX Lab News Tagged with , , , , , , , ,

“Statement of fees” malware

September 8, 2008 by mxlab 7 Comments

Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days.

Contents of the email:

Please find attached a statement of fees as requested, this will be posted today. The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gretchen 

The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer.

The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1.

Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625.

When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe.

http://www.******.com/images/kashir.exe

http://www.******.de/bilder/kashir.exe

http://www.******.de/neuhomebilder/kashir.exe

No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer.

Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80.

Filed under Viruses Tagged with , ,

MX Lab integrates three new features in MX Lab Admin

September 3, 2008 by mxlab Leave a Comment

MX Lab Admin has received 3 new features this week. Here’s a brief description.

Improved securuty with content policy for attachments

As you may know, MX Lab is using a multi layer anti virus system with in front the zero hour anti virus. So our anti virus is quite good but there is always room for improvements.

The new Content Policy Attachments feature provides additional security by placing emails with potential dangerous attachments in quarantine based on their file type. Currently 34 default file types have been integrated for all domains where the action is to quarantine for most of the filters.

Furthermore you can specify additional attachments file extension to need to be blocked or placed in quarantine. As an example, an organisation can decide to block or quarantine various multimedia files like mov, mpeg, mp3, wma and others.

For some clients we had installed a custom filter in our processing but now it’s fully managable and clients can customize this quite easy.

Specify an maximum email size

Incoming emails can be sometimes quite large and if your mail server has a maximum size limit you can now configure MX Lab to quarantine larger emails. Configure the max size for each domain in the Destination mail server settings page.

From the quarantine you can download the attachments with help of the Download Manager.

Spam reports follow up

If you receive spam mails that MX Lab didn’t intercept in the first place you can send us a spam report by email or you can use the inbound message log.

From now on, MX Lab will provide feedback on the processed spam reports. The page Status Spam Report in the Log section will give you an overview regarding the spam reports.

Filed under MX Lab News Tagged with , ,