Google Talk users subject of phishing scheme

February 26, 2009 1 Comment

After the GMail service interruption, Google now suffers another security risk. Google Talk users are subject of a phishing scheme to get them to give up their user information.

The scam includes to lure tha Google Talk users, Google’s instant messaging system, to the web site ViddyHo with messages containing “Hey check out this video” by clicking on a link via the TinyURL service. The link directs users to the web site of ViddyHo, where users are asked to enter their Gmail usernames and passwords to get access.

The web site ViddyHo is being blocked by TinyURL but it is always possible that other URLs will be used in future phishing emails.

As always, the general recommendation from MX Lab is not to trust any request to fill in your account credentials on a web site. Check the URL, check the HTTPS connection first and try to see if the site is genuine.

Filed under Phishing Tagged with , ,

Trojan.Win32.Buzus in detail with e-card from American Greetings

February 26, 2009 3 Comments

MX Lab intercepted a new variant of a trojan named Trojan.Win32.Buzus (Ikarus), Trojan.Win32.Buzus.anee (Kaspersky), W32.Ackantta.B@mm (Symantec).

The messages is sent from<e-cards@americangreetings.com> and has the subject “You have got a new E-Card from your friend!”. The attached ZIP file is named e-card.zip.

And here is where the fun begins. This is a malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment.

The trojan has the capability to send out emails, email addresses harvested from the local computer, with the built-in SMTP engine or communicates with a remote SMTP server.

It will create a startup registry in the Windows system and registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.

Following files are created:

%Temp%\qoMcdExV.bat
%System%\cbXQiFwT.dll
%System%\javale.exe
%System%\javame1.1.exe
%System%\javase1.1.exe.

New processes are created: javase1.1.exe, javale.exe, javame1.1.exe and javaee1.1.exe. The modules %System%\cbXQiFwT.dll and %System%\cbXQiFwT.dll are loaded into the address space of other processes.

Windows registry is being edited and the TCP ports 1033, 1035, 1062, 1063, 1064, 1065, 1118, 1119, 1120 will be used by javale.exe. Some host names are being requested and americangreetings.com is one of them. A connection to the port number 1049 is being established.

A new connection with ak.imgag.com is being made and several GIFs and CSS files are being downloaded from this host. A connection to the host hxxp://childhe.com/***/apstpldr.dll.html?affid=***&uid=&guid=*** is made to download %System%\urqOFwxx.dll.

The build in SMTP engine will send out mass mailings and generates emails coming from e-cards@hallmark.com or e-cards@americangreetings.com with the subjects “You have received A Hallmark E-Card!” or “You have got a new E-Card from your friend!”. It will attach one of the ZIP files postcard.zip, e-card.zip or e-card.zip. The content of the message is similar to the screenshot above.

Once it has a new computer infected it will start this whole process again and tries to distibute itself to other computers.

Filed under Viruses Tagged with , , , , ,

Delta Air Lines confirmation of tickets purchase contains the W32/Trojan2.FXRO trojan

February 26, 2009 4 Comments

MX Lab intercepted a few samples of the trojan W32/Trojan2.FXRO. The trojan is attached to emails in a ZIP archive named delta_RQ763.zip coming from Delta Air Lines with the email address <support@delta.com>, which is a spoofed from address, and the subject “Confirmation of airline ticket purchase at www.delta.com”.

The content of the email:

Thanks for the purchase!

Booking number: LVSN50

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.

It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered:

 - beverages;
 - food;
 - daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board!

Best regards,

Delta Air Lines

Once the ZIP archive is extracted you have the file delta_RQ763.exe. The trojan has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The files %System%\twain32\local.ds, %System%\twain32\user.ds and %System%\twex.exe are created on the system. A system folder %System%\twain32 is created and registry modifications are also part of the infection.

The origin appears to be from Russia and connection with the remote host to download the following hxxp://91.211.65.**/ejik/admin.bin and hxxp://91.211.65.**/ejik/hot.php.

Virus Total permlink and MD5: e3bf9ea4d7ddd59f0f27486f993fa2b2. Only 10 of the 38 anti viurs engines detect the new variant at the time of writing this article.

Filed under Viruses Tagged with , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers