Rogue online anti virus scanner Antivirus Plus


Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp://myreallyty.com/su/in.cgi?18 – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.

 

Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

New variant W32/Trojan3.AKD attached with the DHL tracking email message


A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.

The content of the email remains mostly unchanged:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Shawn Pina,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The following directories are created:

  • %System%\lowsec
  • %Windir%\Temp\Cookies
  • %Windir%\Temp\History
  • %Windir%\Temp\History\History.IE5
  •  %Windir%\Temp\Temporary Internet Files
  • %Windir%\Temp\Temporary Internet Files\Content.IE5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
  •  %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5

Created files in the infected system:

  • %Windir%\9g234sdff3d23dfgjf23 
  •  %Windir%\ld03.exe 
  • %Windir%\pp05.exe 
  • %System%\dll32.dll
  • %System%\lowsec\local.ds 
  • %System%\lowsec\user.ds 
  • %System%\nfr.assembly
  • %System%\nfr.gpref 
  • %System%\sdra64.exe
  • %Windir%\t55ft2809f44.dat 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat 
  • %Windir%\tt_1238184223.exe  (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])

New processed are created:

  • pp05.exe (%Windir%\pp05.exe)
  • tt_1238184236.exe (%Windir%\tt_1238184236.exe)

Windows registry changes are being made and connections to remote hosts are established on port 80:

  • 119.110.107.136
  • 207.36.57.81
  • 212.36.9.1
  • 66.102.11.147
  • 85.13.236.154
  • 91.212.65.5
  • 92.62.101.17

Following URLs can be requested that host malicious content:

* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php

Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.

Email with DHL tracking number contains W32/Trojan3.AKC trojan


MX Lab intercepted a  few messages that claim that the delivery of the postal package that is handled by DHL has failed due to an incorrect recipient address.

The subject contains “DHL Tracking number #05CME637072VHBD”, the attachment is named DHL_HELP.zip and the body of the email contains the following message:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Christy Block,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Virus Total permlink and MD5: 469585cf90d45d43566aed92c21807ed.

Delta Airlines ticket confirmation contains a new trojan variant


MX Lab intercepted some messages with a ticket confirmation for a flight with Delta Airlines with the attached Zip archive named Delta_eTicket.zip. The ZIP archive contains the file Delta_eTicket.exe wich is a new trojan variant under the name W32/Trojan-Gypikon-based.BA!Maximus (F-Prot), Trojan.Dropper.Delphi.Gen (McAfee GW-Edition).

Message body:

Thanks for the purchase!

Booking number: RM2R7

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.

It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered:

 - beverages;
 - food;
 - daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board!
Best regards,
Delta Air Lines

Virus Total permlink and MD5:  b77960abe4e43ab60156c4c984d9166a.

Facebook message with link to striptease video leads to malware


A message from Facebook Mail with in the subject line “FaceBook message: Magnificent Striptease Dance (Last rated by Lorena Keyes)” contains an URL that leads to a host with malware.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

PayPal 5 question survey is just another phishing technique


“PayPal will add $50 credit to your account just for taking part in our quick 5 question survey. Only one survey per card is allowed, if you own multiple cards you can run the survey again for each.”

This is the opening paragraph of a phishing site that tries to attract visitor to fill in the short survey with the promise of  receiving $50 on your PayPal account.

 

At the end of the survey you are ask to fill in your personal details including your credit card number, expiry date and card pin.

Some phishing sites don’t have any control features and accept any data that is submitted. When I tested their webform my credit card number didn’t match the required 16 digits and afterwards my card number appeared to be invalid. I’m not using real data of course. ;-)

So I went to the source code and I found a nice Javascript(s) that will verify your submitted data. When everything is submitted you’ll get a return screen.

As always, be carefull when receiving emails with URLs in that redirect you to sites that don’t fit the picture completely. In this case, the PayPal lay out of the webpage gives away that it is a phishing site and there is no secure https connection. Also, what’s more important, if PayPal was doing a survey you didn’t had to fill in your credit card details again.

Comcast High Speed Self Installation Kit is malware


When checking some URLs at MX Lab this one caught our attention because it is a nice trick to distribute malware. The trick is to attract people that want high speed internet for free. Don’t we all want this? I believe so but this one isn’t going to offer you high speed internet at all.

The URL points to hxxp://comcast.corporate.history.userguide-csebfhah6.interstitialcontrol.43534online.com/highspeedinternet.html?/permissions/specialoffer=jt4uffle9qdyzzp.

The website starts with a very nice offer:

Attention All Customers: March 19, 2009

Comcast High Speed Self Installation Kit v.4 is a special utility designed to boost the speed of your connection. This tool has advanced features of the 3rd generation high speed internet with multiple connections , download scheduling, and many more. It is free proposition for all Comcast clients (any connection) for 300 days.

The instructions are very simple, download the file 36 kB big ComcastHSkit.exe. In most browsers the download is started after  a few seconds.

When submitting the file to Virus Total we got 6 engines of the 39 that detect this malware as TR/Crypt.FKM.Gen (Anti-Vir), Trojan.Crypt.FKM.Gen (McAffee GW Edition) or Mal/EncPk-HJ (Sophos).

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

According to other blog posts the IP 58.65.232.17 is involved in more malicious activities. The server has been reported relocated from the Ukraine to Hong Kong. Here are some articles:

http://www.f-secure.com/weblog/archives/00001625.html
http://garwarner.blogspot.com

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

AutoScout24 subject to phishing


Most of the time, when a phishing email is sent it has it’s goal set to obtain personal and financial information regarding your bank, PayPal or eBay. But sometimes phishers choose other targets as well. In this case it is AutoScout24.

At MX Lab we intercepted a few phishing emails today from “Autoscout24 <info@autoscout24.ch>”, which is obviously spoofed, with the subject “Autoscout24-Verkaeufer Informationen Haben Erfordert” and with the following content in the email body:

Aufmerksamkeit! 

Liebes Mitglied Autoscout24,

Wir haben kurzlich bemerkt, dass eine oder mehr Versuche in zu Ihrem autoscout24 Konto von einem auslandischen IP Adresse loggen.. 

Wenn Sie kurzlich auf Ihr Konto zugegriffen haben, wahrend Reisen, durfte der ungewohnliche Klotz in Versuchen von Ihnen eingeleitet worden sein. Jedoch, wenn Sie den Klotz in nicht eingeleitet haben, bitte Besuch autoscout24 sobald moglich, Ihre Identitat zu beglaubigen: 

hxxp://autoscot24-ch.info/home/index/login.asp/verify.html

Beglaubigt, dass Ihre Identitat ein Sicherheitsma©¬ ist, das sichern wird, dass Sie die einzige Person mit Zugriff auf das Konto sind. 

Dank fur Ihre Geduld, als wir zusammenarbeiten, Ihr Konto zu schutzen. 

Fur mehr Informationen sieht bitte den Verbindungsblasebalg:

http://about.autoscout24.com/de-de/au-company/au-company-agb/au-company-agb-as24.aspx

Mit freundlichen Gru©¬en, 
AutoScout24 Team,
AutoScout24 GmbH
Rosenheimer Str. 143 b
81671 Munchen

The message indicates that there is an issue with your account because AutoScout24 noticed login attempts from a foreign IP address. You have to login and verify your account to get your account unlocked again according to these instructions.

We did a test to see if the browsers phishing engines did detect the phishing site. Here are the results:

Safari 3 (MacOS X): yes
Firefox 3 (MacOS X): no

Firefox 3 (Windows): no
Internet Explorer 7 (Windows): no

Rogue anti virus program: Antivirus for Windows – New 2009 Version


MX Lab intercepted a message that caught our attention. Some time ago, a rogue anti virus/anti spyware program known as Antivirus 2009, XP Antivirus Protection, MSAntivirus 2008 and Vista Antivirus 2008 was promoted on the internet and in various spam emails.

It seems that this now is distributed under a new name “Antivirus for Windows – New 2009 Version”.

The email was sent from PC Protection <internet.clientservice@gmail.com> and contains the subject “Update your Antivirus for Windows.

The email looks like a mailing and contains an Unsubscribe, Forward and Update Profile links. However, when looking at all the links in the message, some links are invalid like the Report Abuse link that contains an URL to http://ss25..sourcecompmail.com/ – note the double point after ss25. The domains http://ss25.sourcecompmail.com/ or http://sourcecompmail.com/ are giving us an HTTP 404 error and contains no web site. It is very common to work from under a subdomain and pages under that domain without any root HTML pages.

The domain itself appears to be registered at Tucows with the following details:

[whois.tucows.com]
Registrant:
 Quattro Web Solutions
 13 Hares avenue
 Woodstock
 Cape Town,  7925
 ZA

 Domain name: SOURCECOMPMAIL.COM

 Administrative Contact:
    Honig, Paul  paul@quattro.co.za
    15 Wandel street
    Gardens
    Cape Town
    Cape Town,  7925
    ZA
    +27.4480099    Fax: +27.214619277

 Technical Contact:
    Desk, Help  domreg@ns.com
    322 South Marietta Street
    ww
    w
    Gastonia, WI 28052
    US
    +1.7048527000    Fax: +1.7048849011

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Oct-2008.
 Record expires on 28-Oct-2009.
 Record created on 28-Oct-2008.

 Registrar Domain Name Help Center:

http://domainhelp.tucows.com

 Domain servers in listed order:
    NS3.NITRIC.CO.ZA
    NS2.NITRIC.CO.ZA   

 Domain status: clientTransferProhibited
                clientUpdateProhibited

When following the download links, a landing page is shown:

When filling in your email address and the activation code you are presented with a payment screen.

Recommendation: do not proceed with the payment process and do not download the program.

New UPS trojan detected: TrojanSpy.ZBot.DGI


Posting updated on 10 March 2009. Read the new information at the end of this posting.

MX Lab intercepted a  few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service <tracking@ups.com>”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.

Follow

Get every new post delivered to your Inbox.

Join 300 other followers