New UPS trojan variant: Delivery problems

January 11, 2009 8 Comments

A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service <tracking@ups.com>.

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

Filed under Viruses Tagged with , , ,

IKEA’s New Planning Software is a trojan

January 11, 2009 1 Comment

When you receive an email with the subject “IKEA’s New Planning Software” and it contains the attachment ikea.zip, it is likely that you have received a trojan W32/Trojan3.TX by F-Prot, Trojan.Win32.Buzus.agev( Kaspersky) or Trojan.Generic.1281011 (BitDefender). The extracted file contains “ikea.doc   [lots of spaces]  .scr” and is about a 220 kB large.

The body content contains:

IKEA has a Fantastic new FREE tool for home decorating. Introducing our Home Planner software which allows you to plan your home in a 3D environment.  Simply follow the instructions in the attachment and start planning your dream home today.

The email is also very IKEA branded as you can see from the screenshot below.

It is clear that the trojan author is trying to get the receivers computer infected with the help of this nice IKEA branded email.

The trojan is a network-aware worm that attempts to replicate across the existing network(s) that may represent security risk for the compromised system and/or its network environment.

It is capable to send out email message(s) with a built-in SMTP client engine or it can comunicate with a remote SMTP server when sending out email. It will also sends out email to the email addresses harvested from the local computer and dowloands other files from the internet.

The following files are created: %Temp%\pmnnmkHY.bat, %System%\ddcBUlLD.dll and %System%\javacpl.exe. The following processes are created: javacpl.exe and ics.exe. Windows registry edits are being made and ports 1033, 1056 and 1067 on TCP are open.

A connection to www.hallmark.com is being established and the following files are downloaded:

    * wcsstore/HallmarkStore/images/globalNav/gnav_logo.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_shop.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_hmkmag.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_ecards.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_gcs.gif

The file khfCTLdD.dll is downloaded from the host hxxp://childhe.com/pas/apstpldr.dll.html?affid=*****. This file itself performs actions on the infected computer like Window registry changes and is using BITS (Background Intelligent Transfer Service) to schedule other downloads.

This trojan will send out an Hallmark E-Card campaign like the one below in the screenshot.

This email has the sender postcards@hallmark.com, email subject “You’ve received A Hallmark E-Card!” and contains a ZIP file postcard.zip.

As always, if your anti virus on your computer doens’t detect a virus or a trojan and you get a message like this one, with an attachment from a company like this, be suspicious about it. Companies like IKEA don’t send out mailings this way.

The real IKEA Planning Tool is available on the web site of IKEA as a download.

Virus Total permlink and MD5 hash: 8dff0478664d7ef6efde13c74f81cd22.

Filed under Viruses Tagged with , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers