Cutwail trojan variant out in the wild

October 30, 2009 Leave a Comment

MX Lab is intercepting quite a lot of viruses these days. Since October 27th, 2009, when we reported about the “Facebook Password Reset Confirmation“-campaign, we notice an serious increase in viruses.

We have now a new virus or trojan in the wild that listens to the name Trojan-Downloader:W32/Cutwail.CU (F-Secure) or Troj/Agent-LNR (Sophos).

The email comes from a spoofed address but shows ‘boss’ in the from address and has the subject “get back to my office for more details”. The body of the emails is very short and only contains two lines of text:

Please read the attached letter and get back to my office for more details to proceed further.

Thanks and have a very nice day.

The attachment is named info.zip and has the executable info.exe after extraction.

Analysis of the file info.exe shows us that thos trojan procudes outbound traffic and has an build in SMTP server for sending out emails.

The files %UserProfile%\reader_s.exe, %System%\reader_s.exe and %System%\dllcache\ndis.sys are created on an infected system and the file %System%\drivers\ndis.sys is altered.

Two new processed are being created: %System%\reader_s.exe and %UserProfile%\reader_s.exe (both 53 kB) and a new memory page created in the address space of the system process(es) %System%\svchost.exe. Several Windows registry modifications ae also part of the infection.

The trojan will try to establish a connection with one of these hosts on port 25:

129.210.252.1
129.41.169.30
156.25.4.8
195.110.124.132
207.5.74.239
209.221.136.43
216.163.188.60
64.18.4.10
64.18.4.11
64.18.6.10

And a connection with the host 78.159.121.41 on port 38811.

The following emails could be used in virus or spam campaigns as senders:

  • <democratizebj@rousei.com>
  • <variantsw9@rousephoto.com>
  • <enactc68@riosautocares.com>
  • <symbolicallyp@rossengineering.com>
  • <invoicevg90@redlineltd.com>
  • <rejoicesy4@reedthomas.com>
  • <commendedd92@roughtrade.com>
  • <irwint@renaultf1.com>
  • <copulaem5@rehabreview.com>
  • <snows53@repeatafterme.com>
  • <launcherqgm@richlandsd.com>
  • <equalizeshwl1@rosmet.com>
  • <abreast2@rodenstock.th.com>
  • <asphyxiate4@rmusainc.com>
  • <warpskmv@revenueexperts.com>
  • <instrument@redbeat.com>
  • <technologicalzi44@redcommerce.com>
  • <utterk1@rotorsource.com>
  • <freelancingeg06@reelfootbank.com>
  • <topmostwwxf02@reelquick.com>
  • <quoitingbzp978@ranchodiablo.com>

Virus Total permlink and MD5: fc9eaa5e85e9843ddb184c7197fc5e40.

Filed under Viruses Tagged with , ,

Email regarding Facebook account update is a phish

October 30, 2009 7 Comments

After a virus campaign, MX Lab now also intercepts a phishing campaign targetting Facebook users.

The From address is obviously fake and not related to Facebook in any way. This email in particular was directing users to the phishing site hxxp://www.facebook.com.saxzask.me.uk/globaldirectory/LoginFacebook.php?ref=******&email=info@****.com. Unfourtunalty, this host was already down when visiting so we didn’t had the chance to investigate it further but we’ll keep an eye on new ones.

Filed under Phishing Tagged with , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers