New ZBot trojan detected in UPS tracking emails

May 27, 2009 by mxlab 1 Comment

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

Filed under Viruses Tagged with , , , ,

New Western Union MTCN trojan

May 26, 2009 by mxlab Leave a Comment

MX Lab intercepted a new ZBot trojan today that is being distributed in the famous “Western Union MTCN” format. The message subject is “Western Union Transfer MTCN: 5815328212″. The attached file is a compresses zip archive WesternUnion_SPL90710021.zip containing the malware WesternUnion_SPL90710021.exe. Please note that the numbers in the subject line and/or attachment and executable can change.

The body of the email contains:

Dear customer!

The money transfer you have sent on the 20th of April wasn’t received by the recipient.
According to the Western Union contract the transfers which are not collected in 15 days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

When we submitted the virus sample to Virus Total, on 26/05/2009 at 21:27:10 (UTC), we only had 6 of the 40 AV engines detecting the malware. When looking at the details and virus naming we assume that they are being detected by some heuristic features that the AV engines have: Gen:Trojan.Heur.3004FB9EBC (BitDefender, GData), Suspicious file (Panda), (Suspicious) – DNAScan (CAT-QuickHeal). A-Squared and Microsoft have a real virus name: Gen.Trojan!IK and TrojanDownloader:Win32/Bredolab.G.

The trojan will create the following files:

%AppData%\wiaserva.log 
 %Temp%\WER699f.dir00\appcompat.txt 
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp 
%Temp%\WER699f.dir00\manifest.txt 
%System%\wbem\grpconv.exe 

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total permalink and MD5 hash: 53d15dc652a2534572981bab1e2eddf3.

Filed under Viruses Tagged with , , , , ,

Health.com branding used in spam

May 19, 2009 by mxlab 1 Comment

A few days earlier we reported that the branding of Auslogics Software was being used in a spam campaign. We now noticed that Health.com has been subject of such abuse.

MX Lab intercepted spam messages with a Health.com branding. The image below shows us a mailing template with the Health logo, an image for viagra and other pills, along withlinks to Twitter, Facebook and YouTube, opt-out links, privacy policy and the address of Health.com.

Spammer have replaced each of the links with hxxp://www.blackaringo.ru in this campaign that redirects to hxxp://newpharmshappy.com/. This site is from our best friends, who else, the Canadian Pharmacy.

Filed under Spam Tagged with , ,

Belgian court condemns 18 persons regarding Nigerean spam

May 18, 2009 by mxlab Leave a Comment

The correctional court of Brugges, Belgium, condems 18 persons with prison sentences from 2 to 6 years for sending out fraudulent spam between Februay 2007 and November 2008.

In the Nigerian spam emails they claimed to have a fund in Ghana where a substantional amount of money was blocked after a woman died in a car accident. The small fortune of 35 million Euro could be released with the help and a contribution of the addressee.

The police could arrest the gang after a tip and a thorough investigation of mobile phone conversations.

Filed under Spam, Various Tagged with , ,

New version of the Zbot-I trojan

May 17, 2009 by mxlab Leave a Comment

A message with the subject line “Fwd: Look and tell…” that has been intercepted by the zero hour anti virus at MX Lab caught our attention. When submitting the details to Virus Total, only 14 of the 40 AV engines did detect this one. The email has the ZIP file attached named Info04.zip and when extracted we got Info04.Doc_[lots of underscores]_…_.exe.

The body of the email:

Hello, webmaster.

I received it with my morning mail but it seems to me everything is yours.
Look and tell to delete it or don’t.


Best regards,
webmaster mailto:webmaster@sylvia-gerl.net

This version of malware itself doesn’t do much harm when looking to the activity. It will create a new file%Temp%\svchost [file and pathname of the sample #1], create a new service svchost.exe, add one Windows registry.

Virus Total permlink and MD5:16a2124b53d9d4746c77b9682a795e36.

Filed under Viruses Tagged with , , , ,

Auslogics Software logo used in spam

May 14, 2009 by mxlab 3 Comments

When spammers send their messages they try to hide their tracks by spoofing the From address in each message. Sometimes using valid domains or even real email addresses. In some cases they also try to gain credibility by using a brand, a logo or any other style of a real company.

In this case, the victim is the company Auslogics Software (http://www.auslogics.com/).

When looking at the spam it seems that they offer a whole branch of software products. But in fact this company offers software to speed up your computer, recovery and disc-and registry defrag tools.

The Auslogics logo is embedded with a complete URL directing to the Auslogics Software web site. The other images are taken from the Amazon web site.

Unfourtunatly, or luckely – depends how you look at it, the spammers didn’t complete their homework very well. A small mistake happened and the provided links contain http://{oemurl}/. It seems that the spammers have forgotten to include a real URL or that a content merge failed.

Filed under Spam Tagged with ,

Phishers use Federal Reserve Bank to warn about phishing

May 13, 2009 by mxlab Leave a Comment

Phishers send out a warning regarding a country-wide phishing attack and use the Federal Reserve Bank as the origin. The email is sent from Corporate Banking Alert <cmsupport@federalreservebank.com> – this is spoofed because the real SMTP From address is quite different.

Some subject samples:

Federal Reserve Bank – Urgent Security Notification
Federal Reserve Bank – Customer Service Notification

Body of the email:

FEDERAL RESERVE BANK

 

Important:

 

You’re getting this letter in connection with new directions issued by U.S. Treasury Department. The directions concern U.S. Federal Wire online payments.

 

A country-wide phishing attack began on May 6, 2009. It’s taking place hitherto. Therefore a great number of banks and credit unions is affected by this attack and quantity of illegal wire transfers has reached an extremely high level.

 

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC) in common worked out a complex of immediate actions for the highest possible reduction of fraudulent operations. We regret to inform you that definite restrictions will be applied to all Federal Wire transfers from May 12 till May 25.

 

Here you can get more detailed information regarding the affected banks and U.S. Treasury Department restrictions:

 

 

hxxp://fedwire.usatreasury-direct.us/36374/FRB/phishing/Issue~73624/

 

Federal Reserve Bank System Administration

Some IPs of the email source:

94.222.248.23 (dslb-094-222-248-023.pools.arcor-ip.net)
88.249.38.101 (dsl88-249-9829.ttnet.net.tr)
201.240.92.239 (client-201.240.92.239.speedy.net.pe)

When we tried to visit the site all we got where time outs. The domain usatreasury-direct.us is registered in Italy by the DNS-agent CSL COMPUTER SERVICE (D.B.A. JOKER.COM) under the name Germana Esposito in Maissana, Italy. The domain resolves to the IP 221.5.74.34 which is located in Chine and under the management of CNC Group Guangdong.

Here is a list of domains that are involved in this phishing and are being used on the IP 221.5.74.34:

 
esecure-federal.com
esecure-federal.net
esecure-federal.us
federalbanks.us
federalbanksystem.com
federalbanksystem.net
federalbanksystem.us
federalreserve-direct.com
federalreserve-direct.us
federalreserve-online.com
federalreserve-online.us
fedwire.usatreasury-direct.net
fedwire.usatreasury-direct.us
frb-direct.net
frb-secure.net
mail.federalreserve-direct.us
mail.frb-direct.net
mail.frb-secure.net
mail.usatreasury-direct.net
ns1.esecure-federal.com
ns1.esecure-federal.net
ns1.esecure-federal.us
ns1.federalbanks.us
ns1.federalbanksystem.com
ns1.federalbanksystem.net
ns1.federalbanksystem.us
ns1.federalreservebanks-online.us
ns1.federalreserve-direct.com
ns1.federalreserve-direct.net
ns1.federalreserve-direct.us
ns1.federalreservenet.us
ns1.federalreserve-online.com
ns1.federalreserve-online.net
ns1.federalreserve-online.us
ns1.fedreservebanks.com
ns1.fedreservebanks.net
ns1.fedreservebanks.us
ns1.frb-direct.net
ns1.frb-direct.us
ns1.frb-secure.com
ns1.frb-secure.net
ns1.treasurydept.us
ns1.usatreasury-direct.com
ns1.usatreasury-direct.net
ns1.usatreasury-direct.us
ns2.esecure-federal.com
ns2.esecure-federal.net
ns2.esecure-federal.us
ns2.federalbanks.us
ns2.federalbanksystem.com
ns2.federalbanksystem.net
ns2.federalbanksystem.us
ns2.federalreservebanks-online.us
ns2.federalreserve-direct.com
ns2.federalreserve-direct.net
ns2.federalreserve-direct.us
ns2.federalreservenet.us
ns2.federalreserve-online.com
ns2.federalreserve-online.net
ns2.federalreserve-online.us
ns2.fedreservebanks.com
ns2.fedreservebanks.net
ns2.fedreservebanks.us
ns2.frb-direct.net
ns2.frb-direct.us
ns2.frb-secure.com
ns2.frb-secure.net
ns2.treasurydept.us
ns2.usatreasury-direct.com
ns2.usatreasury-direct.net
ns2.usatreasury-direct.us
usatreasury-direct.net
usatreasury-direct.us
usbanks.esecure-federal.net
usbanks.esecure-federal.us
ustreasury.federalbanks.us
ustreasury.federalbanksystem.com
ustreasury.federalbanksystem.net
ustreasury.federalbanksystem.us
ustreasurydept.frb-direct.net
ustreasurydept.frb-direct.us
wire.esecure-federal.com
wire.federalreserve-direct.com
wire.federalreserve-online.us
wire.frb-secure.net
www.esecure-federal.com
www.esecure-federal.net
www.esecure-federal.us
www.federalbanks.us
www.federalbanksystem.com
www.federalbanksystem.net
www.federalbanksystem.us
www.federalreserve-direct.com
www.federalreserve-direct.us
www.federalreserve-online.com
www.federalreserve-online.us
www.frb-direct.net
www.frb-secure.net
www.usatreasury-direct.net
www.usatreasury-direct.us
 

Filed under Phishing Tagged with ,

Western Union MTCN trojan variant

May 13, 2009 by mxlab 1 Comment

MX Lab intercepted emails with attached malware Trojan-Spy.Win32.Zbot.tnt regarding a failed money transfer that is handled by Western Union. The email subject is “Western Union Transfer MTCN: 9439449215″ – note that the number is random and will change with each message – and is coming from support@westernunion.com – is obviously spoofed.

The body of the email:

Dear Client!

 

The money transfer you have sent on the 9th of March has not been received by the recipient.

According to the Western Union contract the transfers which are not collected in 15 business days are to be returned to sender.

To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union agency.

 

Thank you!

The email has a Zip file attached with the name Invoice_8773.zip which contains the executable Invoice_8773.exe. The malware has the same characteristics as our previous malware detection in the past.

VirusTotal permalink and MD5:fa491105bd5c3baedad78f28586ff91e.

Filed under Viruses Tagged with , , , ,

Swine flu inspires spammers

May 6, 2009 by mxlab Leave a Comment

While the media cover each new outbreak of the swine flu, also known as the Mexican flu here in Belgium, spammers get inspired to use the subject in their spam campaigns. Here we have some examples.

Commtouch reported about two spam outbreaks regarding the swine flu. The first outbreak had ‘swine flu’ in the subject line and direct the reader to online pharmacy stores. We have intercepted similar samples here at MX Lab.

Following one of the links will lead you to the Canadian Health & Care Mall web site.

While other links will lead you to the well know Canadian Pharmacy, one of our favourites at MX Lab.

The second outbreak was to harvest emails for spammers. The subjects where randomly generated and ‘swine flu’ appeared in the body of the spam email. These mails where sent in huge numbers to check the validity of large groups of email addresses to build new spam campaigns. Read the full article at the Commtouch blog.

Filed under Spam