Sasfis trojan present in emails with subject Statement of fees 2009/2010

April 29, 2010 Leave a Comment

MX Lab intercepted messages with the subject “Statement of fees 2009/2010″ that contains the Sasfis trojan attached in a ZIP archive. The email is send from various spoofed email addresses and changes randomly.

Body of the email:

Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Ramon Roberson

The attached ZIP archive has the name Statement_of_fees_2009_2010.zip and the extracted file has the name Statement_of_fees_2009_2010__[manyunderscores]_doc.exe. A large amount of underscores makes it more difficult to see that this file is in fact an executable.

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 174.120.228.122 and 193.105.174.108 on port 80 and retrieve data from:

* hxxp://www.brightspottech.com/loader_40.exe
* hxxp://hulejsoops.ru/images/bb.php?v=200&id=256235564&b=build001&tm=2

At the time of writing, only 10 of the 40 Av engines did detect the trojan. Virus Total permlink and MD5: b5e6830bb7836f776d5629291cc961a1

Filed under Viruses Tagged with , , ,

Emails from USPS with subject Your Postal Package N*** contains a trojan

April 28, 2010 25 Comments

MX Lab intercepts a new virus campaign regarding an undelivered package from a spoofed email address of United States Postal Service – USPS. In our case it was sent from Augustine Mcclain <Augustine _Mcclain@usps.com>. The subject is “Your Postal Package N6730622″ – the number will change randomly.

The set up is the same as the virus campaigns when spoofed email addresses from UPS, DHL, or FedEx where used.

The body of the email:

Good day,
Unfortunately, we could not deliver postal package sent 01 April,
As the recipient’s address does not exist.
Please, print out the bill of lading that is in the attached document, and collect your parcel in our office at the address indicated in the bill of lading.
Best regards,
Augustine Mcclain

Attached to the message is the ZIP archive Postal_p_N2355224.zip and once extracted we have the 40 kB large  file postal_p_N2355224.doc.exe.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft) or trojan.Sasfis (Kaspersky).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 174.120.228.122 and 193.105.174.108 on port 80 and retrieve data from:

* hxxp://www.brightspottech.com/loader_40.exe
* hxxp://hulejsoops.ru/images/bb.php?v=200&id=432227885&b=build001&tm=2

At the time of writing, only 4 of the 40 AV engines at Virus Total did detect the trojan so better be carefull at this time when you notice the message in your mailbox!

Virus Total permlink and MD5: e7316a1faeb6507f5684d76c189768ea.

Filed under Viruses Tagged with , , , ,

New Oficla trojan variant targets Facebook users

April 27, 2010 2 Comments

MX Lab detected a new variant of the Oficla trojan that targets Facebook users and provides instructions on how to use the new password for their online Facebook account.

The emails is send from the spoofed email address The Facebook Team <profile@facebook.com> with subjects like for example:

Facebook Password Reset Confirmation! Customer Message.
Facebook Password Reset Confirmation! Customer Support.
Facebook Password Reset Confirmation! Important Message.
Facebook Password Reset Confirmation! Support Message.
Facebook Password Reset Confirmation! Your support.

The content of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The email contains the attachment Facebook_document_Nr1637.zip – where the last 4 digits ay vary – that contains the executable 48 kB large Facebook_document_Nr1637.exe once extracted.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft), Trojan-Downloader:W32/Oficla.Y (F-Secure) or TR/Crypt.ZPACK.Gen (Antivir).

The trojan will attempt to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. The Win32/FakeScanti family of trojans will present themselfs as being genuine anti virus programs but instead are malware and display fake warning of possible virus infections on your system. As a user you will be offered to register and pay for the so-called anti virus software.

The following files are being created:

%Temp%\1.tmp
%System%\ngts.vao

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from hxxp://designfolkov.ru/hules/bb.php?v=200&id=256235564&b=26aprela&tm=2.

Filed under Viruses Tagged with , , , ,

Greeting e-card from Hallmark leads to download of Net-Worm.Win32.Mytob

April 7, 2010 1 Comment

MX Lab reports that a new campaign regarding greeting e-card that lead to malware is in circulation.

The messages have the subject “You have received a greeding e-card !” and come from the spoofed email address <webmaster@Hallmark.com> to make it look genuine and coming from Hallmark itself, which is obviously not the case.

The email looks like this:

The link under “To see it, click here” and “We invite you to make a friend’s day and send one.” will lead you to a server that hosts the  2,9 MB large file ecard.exe which is malware known as Net-Worm.Win32.Mytob (Ikarus) or Win32:Malware-gen (Avast).

Virus Total permlink and MD5: 220934c050bb2335889b56a807026109.

Filed under Viruses Tagged with , , , ,

Warning regarding your account contains trojan FakeAV

April 7, 2010 Leave a Comment

Yesterday, MX Lab intercepted some emails regarding a temporary locked account because someone else may have been accessing the account (read the article). Today, a new trojan variant is attached in the ZIP archive in a similar campaign. The trojan is known as Trojan.Win32.FakeAV (Ikarus, Sophos) or Trojan:W32/Agent.DIUK (F-Secure).

The email is send out from a random spoofed email address. The subject is: “***.be account notification” where *** represents the domain name of the intended recipient.

The content of the email:

Dear Customer,

This e-mail was send by ***.be to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) ***.be

An attached file Instructions.zip contains the 144 kB large file Instructions.exe after extraction.

The following files are created:

%CommonDesktopDir%\ReaderAdobe.exe
%CommonDesktopDir%\ReaderAdobe30643.exe
%CommonDocuments%\My Music\Sample Music\BeethovensScherzo.exe
%CommonDocuments%\My Pictures\Sample Pictures\Bluehills17865.exe
%CommonPrograms%\Accessories\Accessibility\WizardAccessibility.exe
%CommonPrograms%\Administrative Tools\ServicesComponent.exe
%CommonPrograms%\Administrative Tools\ServicesComponent21682.exe
%CommonPrograms%\ReaderAdobe.exe
%Profiles%\Default User\Start Menu\Programs\Accessories\PromptCommand.exe
%Programs%\Accessories\BookAddress.exe
%Windir%\AppPatch\MicrosoftOperating5.1.2600.21802.0408032158.exe
%Windir%\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\FrameworkUtilities.exe
%Windir%\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\VisualVisualBasic.exe
%Windir%\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\VisualStudio.exe
%Windir%\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\FrameworkSystem.exe
%Windir%\assembly\NativeImages_v2.0.50727_32\System.Transactions\f103eb6750b18845ae26e7fb5d490394\Microsofttransactions.exe
%Windir%\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\10b68212c5158047877d5f404cc639f7\SystemMicrosoft.exe
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\dllMsiExecInstMsi.exe
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\WindowsUnicode006.000.001.exe
%FontsDir%\FontSystem.exe
%FontsDir%\SystemEGA80WOA4.00.950.exe
%Windir%\Microsoft.NET\Framework\Microsoftsbsmscorrc.exe
%Windir%\Microsoft.NET\Framework\sbscmp10Microsoft.exe
%Windir%\Microsoft.NET\Framework\v1.0.3705\FrameworkMicrosoft.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\uiwrapperresuiwrapperres8.0.50727.42.exe
%Windir%\NOTEPADManager.exe
%Windir%\pchealth\UploadLB\Binaries\SystemMicrosoft.exe
%Windir%\Resources\Themes\Luna\Shell\Metallic\WindowsWindows.exe
%System%\mui407\xpsp2resxpsp2res.exe
%System%\mui418\MicrosoftSystem.exe
[file and pathname of the sample #1]
%Windir%\WindowsWINHLP321711.exe
%Windir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\OperatingWindows6.02.0408032158.exe
%Windir%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrtmsvcrt7.0.2600.0.0108171148.exe
%Windir%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\WindowsMicrosoft5.1.3102.2180.exe
%Windir%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\WindowsMicrosoft5.2.4949.21802.0408032158.exe

The following processes are created:

%CommonDesktopDir%\readeradobe.exe
%CommonDesktopDir%\readeradobe30643.exe
%CommonDocuments%\my music\sample music\beethovensscherzo.exe
%CommonDocuments%\my pictures\sample pictures\bluehills17865.exe
%CommonPrograms%\accessories\accessibility\wizardaccessibility.exe

Several modifications to the Windows registry are being made and the following internet downloads were started:

hxxp://logs.newsafetyplace.com/httpss/ldr123.php?v=23&step=1&hostid=ECCB2C6A77FA57971BADB6A24FDB1C34
hxxp://logs.newsafetyplace.com/httpss/ldr123.php?v=23&step=2&hostid=ECCB2C6A77FA57971BADB6A24FDB1C34
hxxp://logs.newsafetyplace.com/httpss/ldr123.php?v=23&step=3&hostid=ECCB2C6A77FA57971BADB6A24FDB1C34

Virus Total permlink and MD5: dab29feb1a1faa0085e8b2adab569dd3.

Filed under Viruses Tagged with , , ,

Warning regarding your account contains the trojan Kobcka

April 5, 2010 Leave a Comment

MX Lab intercepted some emails regarding a temporary locked account because someone may have been accessing the account. The email is not send on behalf of a company, like for example a bank, but is send out from a random spoofed email address. The subject is: “***.be account notification” where *** represents the domain name of the intended recipient.

The content of the email:

Dear Customer,

This e-mail was send by ***.be to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) ***.be

An attached file Instructions.zip contains the 32 kB large file Instructions.exe after extraction. The trojan is known as Trojan.Downloader.Kobcka.S (F-Secure), W32/Trojan2.MGAA (F-Prot) or a variant of Win32/Wigon.NT (NOD).

Virus Total permlink and MD5: 24e9815a542f560786c9f7ff36871131.

Filed under Viruses Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers