The social network Hi5, a place where you can connect to your fiends, is target of a malware distribution campaign. MX Lab intercepted emails with the subject ”Jessica would like to be your friend on hi5!” with an attachment named Invitation Card.zip that includes the archived file attachment.pdf_[many _spaces]___.exe.
The From address is email@example.com but this is spoofed. The body of the email looks quite genuine and coming from Hi5. If you receive such a message, namely a request to connect from a so called friend, there is normally no file of 244 kB attached to the email.
The trojan is known as Win32:Rootkit-gen (Avast), W32/Autorun-AQL (Sophos), GData (Backdoor.Bot.103388) or VirTool:Win32/Injector.gen!AH (Microsoft).
the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
There are stealth-mode characteristics common to Rootkits and the option to communicate with SMTP engines to send out emails.
The trojan will create the files %System%\javaa.exe, %System%\jushred.exe and %System%\sdra64.exe on an infected system and the processes jushred.exe and javaa.exe will be running.
The hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll and a hidden folder %System%\lowsec are created.
The system services ERSvc (Error Reporting Service) and wscsvc (Security Center) will be stopped and various registry edits will be performed.
The trojan can connect to remote resources on ports 43, 80, 1033 and 1035 and a connection with msnnews.webhop.org will be created.
The built-in SMTP engine will send emails for the distribution of the trojan towards other victims:
Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation Card.zip
Subject: Shipping update for your Amazon.com order 254-78546325-658742
Attachment: Shipping documents.zip (334,919 bytes)
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip (334,919 bytes)
VirusTotal permlink and MD5: 4df3cf28fae7b5b02b2d9f4e03b4dbbd.