DHL tracking email contains Bredolab trojan


MX Lab is intercepting a large amount of emails regarding a DHL tracking error with an attached Bredolab trojan. The emails are from Manager Lucinda Poe <delivery@dhl-usa.com>, where the name of the person is choosen randomly, and the subject is “DHL Services. You should get the parcel NR.23962″, where the nr is also randomly choosen.

The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you,
DHL Express Services.

The attachment is named DHL_print_label_2cd1e.zip that contains DHL_print_label_2cd1e.exe. The combination letters and numbers is random.

The trojan listens to the name Trojan.Downloader.Bredolab.AZ (BitDefender), is detected by 20 of the 41 AV engines at Virus Total. Virus Total permlink and MD5: 76cb6667fef3d40e34f08e6af123930e.

Bredolab masked as Facebook Password Reset Confirmation


MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <service@facebook.com>” but the real SMTP from address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.

The body of the email:

Hey vguysville ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This Bredolab variant will create the files:

%AppData%\wiaservg.log
%Windir%\temp\wpv861256600826.exe
%Programs%\Startup\isqsys32.exe

It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.

It will attempt to connect with the remote hosts on port 80: 202.39.17.53 0, 217.23.7.162 and 95.211.27.211.

The data identified by the following URL was then requested from the remote web server:

hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
hxxp://hostvegass.ru/cman/receiver/online
hxxp://wapdodoit.ru/mn/base.cfg
hxxp://www.whatsmyipaddress.com

Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.

[Update - 02/11/2009  5:30 PM local Belgian time]

New subject is being used:

Facebook Password Reset Confirmation. Help Centre.

Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.

Follow

Get every new post delivered to your Inbox.

Join 304 other followers