A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.
The content of the email remains mostly unchanged:
Hello!
We were not able to deliver postal package you sent on the 14th of March in time because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your personal manager: Shawn Pina,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved
the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The following directories are created:
- %System%\lowsec
- %Windir%\Temp\Cookies
- %Windir%\Temp\History
- %Windir%\Temp\History\History.IE5
- %Windir%\Temp\Temporary Internet Files
- %Windir%\Temp\Temporary Internet Files\Content.IE5
- %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
- %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
- %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
- %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5
Created files in the infected system:
- %Windir%\9g234sdff3d23dfgjf23
- %Windir%\ld03.exe
- %Windir%\pp05.exe
- %System%\dll32.dll
- %System%\lowsec\local.ds
- %System%\lowsec\user.ds
- %System%\nfr.assembly
- %System%\nfr.gpref
- %System%\sdra64.exe
- %Windir%\t55ft2809f44.dat
- %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
- %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
- %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
- %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
- %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini
- %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat
- %Windir%\tt_1238184223.exe (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])
New processed are created:
- pp05.exe (%Windir%\pp05.exe)
- tt_1238184236.exe (%Windir%\tt_1238184236.exe)
Windows registry changes are being made and connections to remote hosts are established on port 80:
- 119.110.107.136
- 207.36.57.81
- 212.36.9.1
- 66.102.11.147
- 85.13.236.154
- 91.212.65.5
- 92.62.101.17
Following URLs can be requested that host malicious content:
* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php
Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.
