Rogue online anti virus scanner Antivirus Plus


Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp://myreallyty.com/su/in.cgi?18 – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.

 

Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

New variant W32/Trojan3.AKD attached with the DHL tracking email message


A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.

The content of the email remains mostly unchanged:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Shawn Pina,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The following directories are created:

  • %System%\lowsec
  • %Windir%\Temp\Cookies
  • %Windir%\Temp\History
  • %Windir%\Temp\History\History.IE5
  •  %Windir%\Temp\Temporary Internet Files
  • %Windir%\Temp\Temporary Internet Files\Content.IE5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
  •  %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5

Created files in the infected system:

  • %Windir%\9g234sdff3d23dfgjf23 
  •  %Windir%\ld03.exe 
  • %Windir%\pp05.exe 
  • %System%\dll32.dll
  • %System%\lowsec\local.ds 
  • %System%\lowsec\user.ds 
  • %System%\nfr.assembly
  • %System%\nfr.gpref 
  • %System%\sdra64.exe
  • %Windir%\t55ft2809f44.dat 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat 
  • %Windir%\tt_1238184223.exe  (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])

New processed are created:

  • pp05.exe (%Windir%\pp05.exe)
  • tt_1238184236.exe (%Windir%\tt_1238184236.exe)

Windows registry changes are being made and connections to remote hosts are established on port 80:

  • 119.110.107.136
  • 207.36.57.81
  • 212.36.9.1
  • 66.102.11.147
  • 85.13.236.154
  • 91.212.65.5
  • 92.62.101.17

Following URLs can be requested that host malicious content:

* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php

Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.

Email with DHL tracking number contains W32/Trojan3.AKC trojan


MX Lab intercepted a  few messages that claim that the delivery of the postal package that is handled by DHL has failed due to an incorrect recipient address.

The subject contains “DHL Tracking number #05CME637072VHBD”, the attachment is named DHL_HELP.zip and the body of the email contains the following message:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Christy Block,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Virus Total permlink and MD5: 469585cf90d45d43566aed92c21807ed.

Delta Airlines ticket confirmation contains a new trojan variant


MX Lab intercepted some messages with a ticket confirmation for a flight with Delta Airlines with the attached Zip archive named Delta_eTicket.zip. The ZIP archive contains the file Delta_eTicket.exe wich is a new trojan variant under the name W32/Trojan-Gypikon-based.BA!Maximus (F-Prot), Trojan.Dropper.Delphi.Gen (McAfee GW-Edition).

Message body:

Thanks for the purchase!

Booking number: RM2R7

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.

It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered:

 – beverages;
 – food;
 – daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board!
Best regards,
Delta Air Lines

Virus Total permlink and MD5:  b77960abe4e43ab60156c4c984d9166a.

Facebook message with link to striptease video leads to malware


A message from Facebook Mail with in the subject line “FaceBook message: Magnificent Striptease Dance (Last rated by Lorena Keyes)” contains an URL that leads to a host with malware.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

PayPal 5 question survey is just another phishing technique


“PayPal will add $50 credit to your account just for taking part in our quick 5 question survey. Only one survey per card is allowed, if you own multiple cards you can run the survey again for each.”

This is the opening paragraph of a phishing site that tries to attract visitor to fill in the short survey with the promise of  receiving $50 on your PayPal account.

 

At the end of the survey you are ask to fill in your personal details including your credit card number, expiry date and card pin.

Some phishing sites don’t have any control features and accept any data that is submitted. When I tested their webform my credit card number didn’t match the required 16 digits and afterwards my card number appeared to be invalid. I’m not using real data of course. ;-)

So I went to the source code and I found a nice Javascript(s) that will verify your submitted data. When everything is submitted you’ll get a return screen.

As always, be carefull when receiving emails with URLs in that redirect you to sites that don’t fit the picture completely. In this case, the PayPal lay out of the webpage gives away that it is a phishing site and there is no secure https connection. Also, what’s more important, if PayPal was doing a survey you didn’t had to fill in your credit card details again.

Comcast High Speed Self Installation Kit is malware


When checking some URLs at MX Lab this one caught our attention because it is a nice trick to distribute malware. The trick is to attract people that want high speed internet for free. Don’t we all want this? I believe so but this one isn’t going to offer you high speed internet at all.

The URL points to hxxp://comcast.corporate.history.userguide-csebfhah6.interstitialcontrol.43534online.com/highspeedinternet.html?/permissions/specialoffer=jt4uffle9qdyzzp.

The website starts with a very nice offer:

Attention All Customers: March 19, 2009

Comcast High Speed Self Installation Kit v.4 is a special utility designed to boost the speed of your connection. This tool has advanced features of the 3rd generation high speed internet with multiple connections , download scheduling, and many more. It is free proposition for all Comcast clients (any connection) for 300 days.

The instructions are very simple, download the file 36 kB big ComcastHSkit.exe. In most browsers the download is started after  a few seconds.

When submitting the file to Virus Total we got 6 engines of the 39 that detect this malware as TR/Crypt.FKM.Gen (Anti-Vir), Trojan.Crypt.FKM.Gen (McAffee GW Edition) or Mal/EncPk-HJ (Sophos).

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

According to other blog posts the IP 58.65.232.17 is involved in more malicious activities. The server has been reported relocated from the Ukraine to Hong Kong. Here are some articles:

http://www.f-secure.com/weblog/archives/00001625.html
http://garwarner.blogspot.com

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

Follow

Get every new post delivered to your Inbox.

Join 318 other followers