Bredolab trojan on the move

February 4, 2010 by mxlab Leave a Comment

MX Lab noticed an increase in intercepted Bredolab trojan variants that are spread by email. The Bredolab variants are distributed by different campaigns.

Do you like to find a girlfriend like me ?

One campaign has the subject “Do you like to find a girlfriend like me ?” and targets female singles in a certain way:

Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.

The email includes a ZIP archive named myphotos.zip which indicated that you will see some pictures. Instead the archive includes the file myphoto.exe which is the Bredolab trojan.

Virus Total permlink and MD5: 63936bfd3c1207ef3d2cce7b52d508da.

DHL Office. Please get your parcel NR.6161

The second campaign is the tradional failed package delivery style, in this case DHL coming from the spoofed email address <support@dhl.com>. Following subject are used:

DHL Office. Please get your parcel NR.6161
DHL Express. Please get your parcel NR.6161
DHL Express Services. You need to get a parcel NR. 3050
DHL International. You need to get a parcel NR. 3050
DHL Services. Please get your parcel NR. 1608
DHL Customer Services.  Please get your parcel NR. 3528

Body of the email:

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.

There is also a Spanish version of the campaign with the spoofed email address <support@dhl.es> with the subject “DHL servicios. Recibir parcela NR.82140″ and the email body:

Estimado Cliente

El mensajero de nuestra Compañía no pudo entregarle el envío en su domicilio.
Causa: Error en la indicación del domicilio de entrega.
Puede recibir su envío personalmente en la oficina de correos cercana a su domicilio.

Atención!
A esta carta se le adjunta una etiqueta postal. Usted debe imprimir la etiqueta para poder recibir el envío en la oficina de correos.

Gracias.
DHL servicios.

UPS Delivery Problem NR 66466.

The third campaign in also failed package delivery style but with UPS ‘branding’ from the spoofed from address <service@ups.com>. Subject is UPS Delivery Problem NR 66466 and and example of the body of the email:

Dear customer!

Unfortunately we were not able to deliver the package sent on the 24th of January in time
because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

The UPS and DHL trojans have the same MD5 are are the same variant. At the time of writting this article only 14 of the 40 AV engines pick up the trojan well.

Virus Total permlink and MD5:574f07d83aeae631834ff8279af8c1ed.

Filed under Viruses Tagged with , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>