New Bredolab variants are spreading by email

MX Lab intercepts more emails with the trojan Bredolab than usual since August, 27th, 2009. We already reported earlier regarding Bredolab but it seems that we now have multiple type of emails with different content trying to get the payload delivered.

DHL Tracking Number 2491VT2O

This email contains the following body:

Hello!

We failed to deliver your postal package sent on the 23rd of July in time
because the addressee’s address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

Your DHL Delivery Services.

Western Union transfer is available for withdraw

This email contains the following body:

Dear customer.

The amount of money transfer: 3010 USD.
Money is available to withdrawl.

You may find the Money Control Number and receiver’s details in document attached to this email.

Western Union.
Finance Department.

Shipping confirmation for order 44663

This email contains the following body:

Hi!

Thank you for shopping at our internet shop!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered Apple Mac mini MB464LL.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!
Walmart.com

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code.

Bredolab also allows attackers unauthorized access to infected machines and can connect to various hosts to download other malware from for ex hxxp://mudstrang.ru/def/controller.php?action=bot&entity_list=&uid=2&first=1&guid=*****&v=15&rnd=***.