Between October 27 and November 09th, 2009, MX Lab has noticed a large amount of viruses. Bredolab, distributed by the Cutwail botnet,  was responsible for the majority of viruses during this period. After a few days low virus detection we see new peaks again with different virus campaigns.

The messages contain the trojan Win32:Trojan-gen (Avast), Trojan.Sasfis.C (BitDefender),  Trojan:W32/Sasfis.H (F-Secure), Trojan:Win32/Oficla.E (Microsoft) or Mal/EncPk-LP (Sophos).

“your mailbox has been deactivated”

Subject: “your mailbox has been deactivated”

The content of the email:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, *****.org technical support.

The ending of the email is designed to make it appear to come from your local IT department. For a small business without an IT department this is obviously a reason not to trust the email.

The attached file is named utility.zip and contains the 20 kB big file utility.exe.

payment request from “United Technologies”*

The second variant is regarding a payment that you have made. In order to respond to this and to avoid the further processing of the payment you will need to use the attachment.

Possible subjects:

payment request from “United Technologies”
payment request from “NetApp”
payment request from “CitiGroup”
payment request from “Adobe Systems Inc”
payment request from “Rusell Investment Group”
…..

Body of the email:

We recorded a payment request from “United Technologies” to enable the charge of $5212.39 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as “United Technologies”.

If you didn’t make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

The attached file is named module.zip and contains the file module.exe.

The trojan Sasfis runs in the background and can download and install additional malware when executed.

The files %Temp%\1.tmp and %System%\wdni.buo are created on an infected system and several Windows registry modifications are executed.

The trojan can make connection to the host 193.104.27.91 and request the following URLs:

• hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=4316315581
• hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=4316315581
• hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=4&b=4316315581

Virus Total permlink and MD5: eec53e2239800e5d85b6b85d5e2451cb.