mx lab blog – all about anti virus and anti spam
February 27, 2009 Leave a Comment
MX Lab will offer the optional service MX Lab Email Archiving & Backup for free for each account on MX Lab AVAS Gateway or MX Lab Hosted Mail solution. This service will become available early March 2009 and the retention period for archived and stored emails will be 60 days.
Read the full press release.
February 26, 2009 1 Comment
After the GMail service interruption, Google now suffers another security risk. Google Talk users are subject of a phishing scheme to get them to give up their user information.
The scam includes to lure tha Google Talk users, Google’s instant messaging system, to the web site ViddyHo with messages containing “Hey check out this video” by clicking on a link via the TinyURL service. The link directs users to the web site of ViddyHo, where users are asked to enter their Gmail usernames and passwords to get access.
The web site ViddyHo is being blocked by TinyURL but it is always possible that other URLs will be used in future phishing emails.
As always, the general recommendation from MX Lab is not to trust any request to fill in your account credentials on a web site. Check the URL, check the HTTPS connection first and try to see if the site is genuine.
February 26, 2009 3 Comments
MX Lab intercepted a new variant of a trojan named Trojan.Win32.Buzus (Ikarus), Trojan.Win32.Buzus.anee (Kaspersky), W32.Ackantta.B@mm (Symantec).
The messages is sent from<e-cards@americangreetings.com> and has the subject “You have got a new E-Card from your friend!”. The attached ZIP file is named e-card.zip.
And here is where the fun begins. This is a malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment.
The trojan has the capability to send out emails, email addresses harvested from the local computer, with the built-in SMTP engine or communicates with a remote SMTP server.
It will create a startup registry in the Windows system and registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Following files are created:
%Temp%\qoMcdExV.bat
%System%\cbXQiFwT.dll
%System%\javale.exe
%System%\javame1.1.exe
%System%\javase1.1.exe.
New processes are created: javase1.1.exe, javale.exe, javame1.1.exe and javaee1.1.exe. The modules %System%\cbXQiFwT.dll and %System%\cbXQiFwT.dll are loaded into the address space of other processes.
Windows registry is being edited and the TCP ports 1033, 1035, 1062, 1063, 1064, 1065, 1118, 1119, 1120 will be used by javale.exe. Some host names are being requested and americangreetings.com is one of them. A connection to the port number 1049 is being established.
A new connection with ak.imgag.com is being made and several GIFs and CSS files are being downloaded from this host. A connection to the host hxxp://childhe.com/***/apstpldr.dll.html?affid=***&uid=&guid=*** is made to download %System%\urqOFwxx.dll.
The build in SMTP engine will send out mass mailings and generates emails coming from e-cards@hallmark.com or e-cards@americangreetings.com with the subjects “You have received A Hallmark E-Card!” or “You have got a new E-Card from your friend!”. It will attach one of the ZIP files postcard.zip, e-card.zip or e-card.zip. The content of the message is similar to the screenshot above.
Once it has a new computer infected it will start this whole process again and tries to distibute itself to other computers.
February 26, 2009 3 Comments
MX Lab intercepted a few samples of the trojan W32/Trojan2.FXRO. The trojan is attached to emails in a ZIP archive named delta_RQ763.zip coming from Delta Air Lines with the email address <support@delta.com>, which is a spoofed from address, and the subject “Confirmation of airline ticket purchase at www.delta.com”.
The content of the email:
Thanks for the purchase!
Booking number: LVSN50
You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.
It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.
On board you will be offered:
- beverages;
- food;
- daily press.You are guaranteed top-quality services and attention on the part of our benevolent personnel.
We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.
See you on board!
Best regards,
Delta Air Lines
Once the ZIP archive is extracted you have the file delta_RQ763.exe. The trojan has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The files %System%\twain32\local.ds, %System%\twain32\user.ds and %System%\twex.exe are created on the system. A system folder %System%\twain32 is created and registry modifications are also part of the infection.
The origin appears to be from Russia and connection with the remote host to download the following hxxp://91.211.65.**/ejik/admin.bin and hxxp://91.211.65.**/ejik/hot.php.
Virus Total permlink and MD5: e3bf9ea4d7ddd59f0f27486f993fa2b2. Only 10 of the 38 anti viurs engines detect the new variant at the time of writing this article.
February 20, 2009 Leave a Comment
MX Lab intercepts a new variant of the trojan Kryptik.GY. The senders address, the subject are random and some parts of the content is based on the senders address as well.
Content of the message:
Hello, **********.
Febraly, Monday 16, 2009, 09:4:57 AM, you wrote:
> Good afternoon
> Please send recommendations to improve the business in the face of crisis.
> Attach the plane that is business.Hello
We are prepared, see the attached document. Check out the second line with our agreement.
–
Best regards,******.********
mailto:*****.*******@mail.ihs.gov
The email has the attachment Document.zip (but can be different or changing) and contains the file “Document.Doc__***__.exe” with many underscores in the file name.
This is a trojan that attempts to intercept network traffic in order to steal information. This trojan also encompasses rootkit functionality to hide itself. A file %Temp%\svchost.exe is being created, registry changes will be made so that the trojan will start every time the computer is booted with a svchost.exe service.
Virustotal permlink and MD5: ea31bd6b2d7d57120c63a19e2e187e13.
February 10, 2009 3 Comments
Most of the viruses we know and that are sent by email have an English subject and content. Today MX lab intercepted two viruses originating from Turkey with country specific content. When we inspected these message further we did notice that they are not entirely harmless.
Message content one:
HABERTURK OLARAK , YILIN İLK HABER BOMBASINI YİNE HABER TÜRK FARKIYLA VE BELGELERİYLE AÇIKLIYORUZ, ERGENEKON DAVASINDA GÖZ ALTI VE TUTUKLANMA SIRASI DENİZ BAYKAL VE MESUT YILMAZ’DA ,SAVCI ZEKERİYA ÖZ’ ÜN ELİNDEKİ MUTHİŞ GÖRÜNTÜLERİ İLK KEZ HABERTURK OLARAK YAYIN YASAĞI OLMASI NEDENİYLE İNTERNET ÜZERİNDEN HABERTÜRK FARKIYLA YAYINLIYORUZ,, GÖRÜNTÜLERDE DENİZ BAYKALIN ABDULLAH ÇATLI İLE OLAN GÖRÜNTÜLERİ ,MESUT YILMAZIN YEŞİL ‘İ BAŞBAKANLIKTA AĞIRLAMASI VE KULAKLARINIZA İNANAMAYACAĞINIZ DİYALOGLAR VAR, HÜKÜMETİN BU GÖRÜNTÜLERİ ŞEÇİMLERE YAKIN BİR TARİHTE AÇIKLAYARAK ,DENİZ BAYKALI VE MESUT YILMAZI TUTUKLAMAYI DÜŞÜNDÜĞÜ BU TÜRKİYE’Yİ SARSACAK BU GÖRÜNTÜLERİ HABERTÜRK FARKIYLA İNTERNET ÜZERİNDEN YAYINLIYORUZ.
HABERTÜRK.COM- TARTIŞMASIZ TÜRKİYE’NİN EN BÜYÜK İNTERNET GAZETESİ
And the second one:
KAMU İHALE KURUMUMUZUN 1 MART 2009 – 15 2009 TARİHLERİ ARASINDA YAPACAK OLDUĞU KAMU İHALELERİ VE İHALE ŞARTNAMELERİ EKTE GÖNDERİLMİŞTİR, BİLGİLERİNİZE.
Both messages have the ZIP attached with the name ihalebulten.kamuihalekurumu.zip. Unpacked the file ihalebulten.kamuihalekurumu.com is available which is an executable.
Analysis shows us that this in fact the file is known as Backdoor.Celofot (Ikarus) or the W32/Infostealer.A!Maximus (by F-Prot). Once executed it will create the following files on the system: %Programs%\Startup\ntdll.lnk and %System%\wins\setup\msmgrs.exe.
Backdoor.Celefot could give an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user’s knowledge.
Only 9 of the 39 anti virus engines did detect the virus. Virus Total permlink and MD5: eede5c242783ac82f14a7904cc4852e2.
February 3, 2009 Leave a Comment
DNS BE was informed that several .be domain names were used in a so-called fast flux network and were redirecting to phishing website. As a result, 163 domains used for fraudulent purposes were cancelled yesterday by DNS Belgium, the Belgian registration body for all .be domain names, by order of the responsible magistrate after contact with the Federal Computer Crime Unit (FCCU)
Read the full artcile on the DNS.BE web site.
