Email regarding Conflicker.B Infection Alert contains a trojan

February 17, 2010 by mxlab 1 Comment

MX Lab started to intercept emails with the subject “Conflicker.B Infection Alert”. The trojan is names Win32:Bredolab-CC (Avast), Generic Dropper.lr (McAfee) or Trojan.Win32.Bredolab.Gen.2 (Sunbelt).

The from address is spoofed and can contain “Microsoft Team”. The emails is signed by “Microsoft Windows Computer Safety Division” to make it appears that it is from Microsoft itself.

The email has the attachment open.zip and inside the ZIP archive the executable open.exe (16 kB).

As you can read, the email contains instructions to use the attached file to scan your network after an detected virus infection by the Conflicker worm.

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

At the time of writing, 21 of the 40 AV engines at Virus Total did detect the threat correctly. Our recommendation is that you never following instructions, send by email, like this one. Microsoft, or any other company, will spread security tools by email.

This trojan is a serious security risk because it will display fake alerts regarding a virus infection in order to lead you to buy rogue anti virus/anti spyware products. The trojan also has the capabilities to send out emails with a build-in SMTP engine.

A new windows will be created after executing the file open.exe:

The following files are created:

%CommonAppData%\28701826\28701826.exe
%DesktopDir%\Security Tool.lnk
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following directory is created:

%CommonAppData%\28701826

New processes are created:

_ex-08.exe in %Windir%\temp\_ex-08.exe
28701826.exe in C:\DOCUME~1\ALLUSE~1\APPLIC~1\28701826\28701826.exe

The Windows registry will be modified and the malware can open the TCP ports 1066 and 1067 ports on an infected system.

Connection to remote hosts (port 80):

221.150.130.37
94.102.50.131
95.143.192.40

Remote downloands:

* hxxp://221.150.130.37/qmbzxqbitqs.htm
* hxxp://221.150.130.37/gyxk.htm
* hxxp://221.150.130.37/xwxwkg.htm
* hxxp://94.102.50.131/in.php?affid=43400&url=5&win=Windows%20XP+2.0&sts=
* hxxp://95.143.192.40/pr/pic/sys.exe

Virus Total permlink and MD5: 76cf8a523c11f4d2ab86a7b99c89c9e0.

Filed under Viruses Tagged with , , ,

Spam campaign from Canadian Pharmacy also contains web based threats

February 15, 2010 by mxlab 1 Comment

MX Lab detected several email based threats in a spam campaign from Canadian Pharmacy masked as an order confirmation of Amazon.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

Filed under Malware, Spam, Viruses Tagged with , , ,

Twitter, Google and Hi5 being abused in Prolaco worm distribution

February 10, 2010 by mxlab 2 Comments

Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm. The campaigns have the following characteristics. Note that the email addresses are spoofed.

The malware is known as Worm.Win32.Prolaco.gen (Sunbelt), Worm:Win32/Prolaco.gen!C (Microsoft) and Worm.Win32.Prolaco (Ikarus).

Twitter

From: <invitations@twitter.com>
Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

In this campaign, Twitter is being used to get the attachment clicked upon. The email instructs you to open the attachment to see who invited you on Twitter.

Google

From: <resume-thanks@google.com>
Subject: Thank you from Google!

Attachment: CV-20100120-112.zip (approx 348 kB)

Body of the email:

Google is thanking you for the resume that you send to them for an open position. To review your submitted application you should open the attachment, according to the instructions in the email.

Hi5

From: <invitations@hi5.com>
Subject: Jessica would like to be your friend on hi5!

Attachment: Invitation Card.zip (approx 348 kB)

Body of the email:

The social network Hi5 has been used in previous campaigns and also in phishing campaigns. This time you are invited to connect to Jessica and she has attached her invitation card for you to open.

Be aware, that when you connect to a person on Hi5, or want to follow a person on Twitter, you never have to download and install a piece of software, in these cases malware. All actions are done through their web sites so do not attempt to open the attachments in similar future campaigns.

About Prolaco:

Prolaco will create the following files on your system:

%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%System%\GoogleUpdater.exe

The following directories are created:

%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

The following services are modified:

ERSvc Error Reporting Service
“Stopped” %System%\svchost.exe -k netsvcs

wscsvc Security Center
“Stopped” %System%\svchost.exe -k netsvcs

The trojan will modify the Windows registry and can make UDP connections over port 1069 and 1070.

27 out of the 41 AV engines detect the Prolaco worm at the time of writing this article.

Virus Total permlink and MD5: c0464909947c92c07f5a91f9d675f03d

Filed under Viruses Tagged with , , , ,

“updated account agreement” email contains Bredolab trojan

February 10, 2010 by mxlab Leave a Comment

MX Lab started to intercept emails with the subject “updated account agreement” that contains the Bredolab trojan. The campaign is designed for Facebook users because of the content. The email comes from the spoofed email address and contains “Facebook Team”.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

Filed under Viruses Tagged with , , , ,

Bredolab trojan on the move

February 4, 2010 by mxlab Leave a Comment

MX Lab noticed an increase in intercepted Bredolab trojan variants that are spread by email. The Bredolab variants are distributed by different campaigns.

Do you like to find a girlfriend like me ?

One campaign has the subject “Do you like to find a girlfriend like me ?” and targets female singles in a certain way:

Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.

The email includes a ZIP archive named myphotos.zip which indicated that you will see some pictures. Instead the archive includes the file myphoto.exe which is the Bredolab trojan.

Virus Total permlink and MD5: 63936bfd3c1207ef3d2cce7b52d508da.

DHL Office. Please get your parcel NR.6161

The second campaign is the tradional failed package delivery style, in this case DHL coming from the spoofed email address <support@dhl.com>. Following subject are used:

DHL Office. Please get your parcel NR.6161
DHL Express. Please get your parcel NR.6161
DHL Express Services. You need to get a parcel NR. 3050
DHL International. You need to get a parcel NR. 3050
DHL Services. Please get your parcel NR. 1608
DHL Customer Services.  Please get your parcel NR. 3528

Body of the email:

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.

There is also a Spanish version of the campaign with the spoofed email address <support@dhl.es> with the subject “DHL servicios. Recibir parcela NR.82140″ and the email body:

Estimado Cliente

El mensajero de nuestra Compañía no pudo entregarle el envío en su domicilio.
Causa: Error en la indicación del domicilio de entrega.
Puede recibir su envío personalmente en la oficina de correos cercana a su domicilio.

Atención!
A esta carta se le adjunta una etiqueta postal. Usted debe imprimir la etiqueta para poder recibir el envío en la oficina de correos.

Gracias.
DHL servicios.

UPS Delivery Problem NR 66466.

The third campaign in also failed package delivery style but with UPS ‘branding’ from the spoofed from address <service@ups.com>. Subject is UPS Delivery Problem NR 66466 and and example of the body of the email:

Dear customer!

Unfortunately we were not able to deliver the package sent on the 24th of January in time
because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

The UPS and DHL trojans have the same MD5 are are the same variant. At the time of writting this article only 14 of the 40 AV engines pick up the trojan well.

Virus Total permlink and MD5:574f07d83aeae631834ff8279af8c1ed.

Filed under Viruses Tagged with , , ,

Win a Macbook Air and get the trojan Obfuscator for free

February 3, 2010 by mxlab Leave a Comment

MX Lab intercepted emails with the subject “Congratulation!!”. The message informs you that you have won an Apple MacBook Air and for more details you will need to open the attached file.

Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.

Seems tempting but by doing so you will in fact unleash the trojan VirTool:Win32/Obfuscator.HG (Microsoft) or Suspicious:W32/Malware!Online (F-Secure) on your system.

The attached file is named winner.zip, 45 kB large, and contains the 52 kB large executable winner.exe.

The trojan will create the following files:

%UserProfile%\reader_s.exe
%System%\reader_s.exe

New processes ware created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Windows registry modifications are done to make sure that the services run when the Windows boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%System%\reader_s.exe”
# [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%UserProfile%\reader_s.exe”

At the time of writing this article, only 8 of the 40 AV engines picked up the trojan when submitted to Virus Total so be carefull when receiving it. Virus Total permlink and MD5: 4ea90acf8a6427060f1a6d003dd3598f.

Filed under Viruses Tagged with , ,

Email based update for Microsoft Outlook – Outlook Express contains trojan

February 3, 2010 by mxlab Leave a Comment

MX Lab started to intercept messages with the subject “Update for Microsoft Outlook / Outlook Express (KB910721)”. These messages appear to come from the Microsoft Support department and contains instructions to install a new update for Microsoft Outlook / Outlook Express:

Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express

The email has the 12kB big ZIP archive named officexp-KB910721-FullFile-ENU.zip. The extracted file is the 24 kB big file officexp-KB910721-FullFile-ENU.exe.

This piece of malware is known as W32/SuspPack.BI.gen!Eldorado (F-Prot), W32/FakeAV.AM!genr (Norman) or Mal/FakeVirPk-A (Sophos).

It is generaly advised not to install software, updates or patches for Microsoft software or the operating system that is distributed by email. Microsoft will only offer updates and patches through the official Windows Update channel on the Windows system itself.

Virus Total permlink and MD5: 925ca736b931a745b064896927cf20bc

Filed under Viruses Tagged with , ,