New variant W32/Trojan3.AKD attached with the DHL tracking email message


A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.

The content of the email remains mostly unchanged:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Shawn Pina,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The following directories are created:

  • %System%\lowsec
  • %Windir%\Temp\Cookies
  • %Windir%\Temp\History
  • %Windir%\Temp\History\History.IE5
  •  %Windir%\Temp\Temporary Internet Files
  • %Windir%\Temp\Temporary Internet Files\Content.IE5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
  •  %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5

Created files in the infected system:

  • %Windir%\9g234sdff3d23dfgjf23 
  •  %Windir%\ld03.exe 
  • %Windir%\pp05.exe 
  • %System%\dll32.dll
  • %System%\lowsec\local.ds 
  • %System%\lowsec\user.ds 
  • %System%\nfr.assembly
  • %System%\nfr.gpref 
  • %System%\sdra64.exe
  • %Windir%\t55ft2809f44.dat 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat 
  • %Windir%\tt_1238184223.exe  (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])

New processed are created:

  • pp05.exe (%Windir%\pp05.exe)
  • tt_1238184236.exe (%Windir%\tt_1238184236.exe)

Windows registry changes are being made and connections to remote hosts are established on port 80:

  • 119.110.107.136
  • 207.36.57.81
  • 212.36.9.1
  • 66.102.11.147
  • 85.13.236.154
  • 91.212.65.5
  • 92.62.101.17

Following URLs can be requested that host malicious content:

* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php

Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.

9 Responses to New variant W32/Trojan3.AKD attached with the DHL tracking email message

  1. idiota says:

    I stupidly downloaded this trojan — got sent to a group list serv I’m on for my reports and thought someone had screwed up sending a package and so checked on it…

    I seem to have been able to fix it using Malwarebytes. The trojan had replaced something and all browsers were blocked. I ended up having to push Windows back to a configuration from a few days ago to get machine up and running. Spybot was useless as was some other virus blockers.

    Her’s how the trojan worked on my machine…
    1. it created an IE popup window with a message saying “your machine has been infected, click now to protect it from viruses.” The window had several status bars and looked like something native to IE. I clicked “OK” in a panic and then everything froze up. Very clever. Don’t know if the “freezing up” was also intentional. Hoping that my work firewall blocked the f….er.

    2. When the fake Virus protector — labeled something like Antivirus 4 — failed. I force quite out of the IE window in panic. Then I searched for other antispyware programs. I ended up with StopZilla which sucked. The m….fs give you a free download, allow you to run a scan and then try to make you pay $40.

    3. In the meantime, I was frantically searching to figure out what I had done to my machine. Then I noticed that everytime I googled and clicked on a result, I was forwarded to some search aggregator — travel something or another.

    4. Then, I started searching for “Google Redirect Virus” and luckily came across advice to download Malwarebytes which I was somehow able to do (although it was tricky — had to paste in URLs from Google to get there).

    5. I also — in the advice I found via Google — found info about Google Redirect Virus and searched the registry for the f…ing travel site and deleted the reference. It did stop my from being constantly redirected to their site.

    6. The explorer window with the fake virus program kept on popping up. It offers lots of windows with cancel, OK, etc. I kept onforce quitting. I didn’t try the buttons but assumed they were all fakes. I also went into IE and disabled ActiveX. Didn’t stop the IE Window though.

    7. Then Malwarebytes completed its scan and found a ton of stuff. I stupidly didn’t even look at what it found. I deleted everything (was about 13 files). It did say two files needed to be deleted upon reboot. I rebooted.

    8. No browser would work after even though I had IP access. I did see a message saying Windows Common something or the other was disabled. I assume — upon what I read — that one of the trojans replaced a registry file I actually needed.

    9. After trying different things, I decided to turn the clock back (to a few days ago) and everything went back to normal (I hope).

    10. Now, I ‘m trying to reconstruct what happened and to make sure my system is really clean. I’m a little panicked about bank accounts and the like. All OK so far but who knows.

    11. Final note — the IE anti virus window seems to be a core of the scam. If anyone is as stupid as me and downloads, force quit out of IE window immediately and call in IT help. Or, if you don’t have that,, get Malwarebytes as soon as possible.

    12. Call for help — if any of you security folks have advice for how I can check to make sure I’m really clean as this point, I’d really appreciate it.

  2. Ash Blue says:

    So I’m only the secretary of an IT business firm in the Seattle area, but what it sounds like to me is that it’s created a “rootkit” in your computer. Speak with your IT professional immediatly because those are the cases that our technicians shudder about. It takes very special tools to remove. Again, not an expert, but that’s my advice.

    Hope it helps.

  3. Ray says:

    Hardware:
    Router
    Cable Modem
    OS: Windows XP SP2
    Browser: IE7

    My significant other was hit with this thing and fortunately, she didn’t press any buttons to load the rest of the payload.

    To keep this brief Symantec AV was partially good and detected some of the components, but was ineffective in removing it all. System Restore wasn’t any help and I seriously considered rebuilding the machine as I began backing up the most recent items that had been created. I saw some of the previous comments, and my wife confirmed the malacious email which she was processing as a function of her business work. Then everything went south from there. Additionally, the browser had been hijacked and internet access was not available.

    I used the network diagnostic tool provided by Microsoft

    Control Panel
    Network Connections

    And it indicated that HTTP traffic failed, but HTTPS was possible. Hmmm, what could it be.

    The way I resolved this was to do the following in IE7:

    Tools
    ->Internet options
    ->Connections
    ->LAN Settings

    I saw an entry in automatic configuration script text box, and proceed to:

    ->check the auto config script box, which higlighted the box and I deleted the entry.
    ->Uncheck the “detect settings automatically” box
    ->Uncheck the “automatic configuration script” box
    ->Uncheck the “Use Proxy server….” box

    Internet access for http traffic over port 80 was resumed.

    Malawarebytes was much more thorough in the cleansing process, and was pretty effective. Not an endoresement, just an experience that seems to have worked.

  4. softrocker says:

    Hi there.

    Got it too, although i saw no pop-ups.

    Did the following:
    1. Installed Avira antivirus, after removing Mcafee (was disabled)
    2. Updates and full scan later, it only got the program, on windows\system32\sdra64.exe
    3. Downloaded Combofix and run it. it found the same file as a rootkit, rebooted the machine and then removed some tonnes of stuff.
    4. Disabled system restore, which deleted the virus on the System Information Volume
    5. Now running MalwareBytes, so far nothing found.

    I guess, am clean now.l

  5. michel jambon says:

    bonjour,
    je me suis fait piégé par ce malware. y-a-t-il une solution de nettoyage ?

    merci. Michel

  6. Gerry says:

    hi

    Tristement, numéro. J’ai passé des heures pour trouver quelque chose résoudre ce problème, mais rien n’a travaillé… Mes navigateurs ne travaillent pas.

  7. Thinkbrown says:

    I recently received this email & virus. I recognized it as a fake (look at the headers) because I have never used DHL. I run a linux system, so I downloaded the attachment, and have been working on disassembling it.

  8. Zak says:

    I was using DHL at the time, and since i normally don’t get spam i opened the dam virus!! Anyway. Restarted in Safe Mode and ran Malwarebytes which i have been using about 2 years now. Used Sysinternals Autoruns to find and clean up anything else still in the system.

    I also got an email from cert.at (Computer Emergeny Responce Team) telling my that my ftp account settings had been copied by this trojan. Which no one seems to mention about this Trojan. The even attached a text document with one of the accounts and the password to it. So this was not a joke.

    So if you use an FTP Program containing accounts with stored passwords, take the time to change all the ftp passwords if you have been hit by this virus!

  9. jordyhanson says:

    —–> This is the EM I received …. Thankfully I think/hope that my AVG caught it in time

    “Dear customer!

    The parcel was send your home address.

    And it will arrice within 7 bussness day.

    More information and the tracking number

    are attached in document below.

    Thank you.

    2011 DHL International GmbH. All rights reserverd. “

Follow

Get every new post delivered to your Inbox.

Join 425 other followers

%d bloggers like this: