Email regarding Conflicker.B Infection Alert contains a trojan

MX Lab started to intercept emails with the subject “Conflicker.B Infection Alert”. The trojan is names Win32:Bredolab-CC (Avast), Generic Dropper.lr (McAfee) or Trojan.Win32.Bredolab.Gen.2 (Sunbelt).

The from address is spoofed and can contain “Microsoft Team”. The emails is signed by “Microsoft Windows Computer Safety Division” to make it appears that it is from Microsoft itself.

The email has the attachment open.zip and inside the ZIP archive the executable open.exe (16 kB).

As you can read, the email contains instructions to use the attached file to scan your network after an detected virus infection by the Conflicker worm.

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

At the time of writing, 21 of the 40 AV engines at Virus Total did detect the threat correctly. Our recommendation is that you never following instructions, send by email, like this one. Microsoft, or any other company, will spread security tools by email.

This trojan is a serious security risk because it will display fake alerts regarding a virus infection in order to lead you to buy rogue anti virus/anti spyware products. The trojan also has the capabilities to send out emails with a build-in SMTP engine.

A new windows will be created after executing the file open.exe:

The following files are created:

%CommonAppData%\28701826\28701826.exe
%DesktopDir%\Security Tool.lnk
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following directory is created:

%CommonAppData%\28701826

New processes are created:

_ex-08.exe in %Windir%\temp\_ex-08.exe
28701826.exe in C:\DOCUME~1\ALLUSE~1\APPLIC~1\28701826\28701826.exe

The Windows registry will be modified and the malware can open the TCP ports 1066 and 1067 ports on an infected system.

Connection to remote hosts (port 80):

221.150.130.37
94.102.50.131
95.143.192.40

Remote downloands:

* hxxp://221.150.130.37/qmbzxqbitqs.htm
* hxxp://221.150.130.37/gyxk.htm
* hxxp://221.150.130.37/xwxwkg.htm
* hxxp://94.102.50.131/in.php?affid=43400&url=5&win=Windows%20XP+2.0&sts=
* hxxp://95.143.192.40/pr/pic/sys.exe

Virus Total permlink and MD5: 76cf8a523c11f4d2ab86a7b99c89c9e0.