“Thank you for buying iTunes Gift Certificate!” email contains trojan


[UPDATE] A new article regarding a new trojan variant has been posted on the MX Lab blog on 26 May 2010: New trojan variant in “Thank you for buying iTunes Gift Certificate!” email. Read article here.


MX Lab started to intercept emails with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).

It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.

This distribution is sent from the spoofed email address iTunes Products <customer.service@itunes.com>.

The body of the email:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains the file ZIP archive iTunes_certificate_247.zip containing the 52 kB large executable iTunes_certificate_247.exe.

The following files are created:

%Temp%\1.tmp
%System%\pgsb.lto

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from:

* hxxp://davidopolko.ru/migel/bb.php?v=200&id=743908139&b=6may&tm=2

At the time of writing, 15 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 0e50c0085bc6d75226a5c06ac1637df1

MX Lab customers are protected against this email based threat.

39 Responses to “Thank you for buying iTunes Gift Certificate!” email contains trojan

  1. Pingback: “Thank you for buying iTunes Gift Certificate!” email contains trojan | Computer Security Articles

  2. MOlivier says:

    Thanks for this information. I just got one of these this morning and knew better but wanted to check for more information about the virus to share with my less-aware co-workers (who all use PCs which are a bit more susceptible to this thing than my Mac).

    And the Mac/PC comment is nothing more than a simple statement about what hardware we all use here:)

    • Anna says:

      Hello!
      I’ m a MAC user. I received one of these today and unadvertently opened the attachment. Nothing seems to have happened, but is it possible that I have somehow damaged my computer?
      Thank you!

      • mxlab says:

        No, this malware was written for the Windows operating system – it is an .exe – so it can not harm your Mac in any way. To investigate this kind of threats I also use a Mac first to see what the malware is about.

        But don’t be fooled by thinking that your Mac is safe from viruses or malware because it is not. Quite often people mention to get a Mac or a Linux computer to be safe. It is a wrong assumption.

      • LR says:

        Dear mxlab:

        You are aware that people can run Windows on Macs these days, right? Really seems like the sort of thing you should be up on.

      • mxlab says:

        @ LR:

        Yes, you are correct, these days there are different ways to run Windows on a Mac. It can be done with Bootcamp from Apple or with virtualisation software from Parallels running boths OS at the same time.

        But this does not change the fact that this piece of malware is written for Windows and will only affect the Windows part of the system.

        It will not affect the MaxOS X part on the system.

      • LR says:

        The parent post was from a ‘Mac user’, who could be using either these days – OSX wasn’t specified. Just sayin’ – that advice needs to be qualified as depending on the OS you’re using. “It only partially infects your Mac” is not the same as “it can not harm your Mac in any way.” Particularly if you use that “Windows part” a lot.

      • mxlab says:

        @ LR:

        When someone writes “I’ m a MAC user.”, I am convinced that this person is going to use MacOS X as primary operating system. My first reply was based on that and that is why I have written that this malware won’t harm the Mac.

        Perhaps I should have written:

        “No, this malware was written for the Windows operating system – it is an .exe – so it can not harm your MacOS X in any way. Be aware that this malware can infect Windows if you use it in Bootcamp or through virtualisation. But the malware needs to be present and executed on Windows. If the malware is stored on MacOS X it will not have any risk for your Windows installation on your Mac.”

      • LR says:

        Hm, a little hastily rewritten, and that last part of the explanation isn’t really meaningful in context, but I guess it will do. I’d give it a solid B-, nice improvement!

      • mxlab says:

        @ LR:

        I guess I will never get an A from you. ;-)

      • LR says:

        I don’t know, I think suffering a troll that gladly may very well deserve an A+ *and* a gold star.

  3. Katina128 says:

    I scanned this thing with AVG and it came back clean, so I opened it, stupidly, and now I need to know how to get rid of it. AVG isn’t even recognizing it yet, and said it couldn’t be healed. Help!

  4. Pingback: Top Posts — WordPress.com

  5. Alex says:

    Hi , i’m from italy and today i received the mail from iTunes and i opened the file zip . My pc now have this problem : when i turn on the pc , win xp can’t open the desktop and return in the win xp user log in . This is fucking trojan !
    Alex

  6. I cant believe the amount of spam comming through these days and a lot have infections I got this email but I dont use I Tunes so I knew straight away.

  7. timo says:

    The maxim: “No such thing as a free lunch” is a saviour.

  8. sachin naik says:

    since it was a new trojan avg couldn’t detect it before but it detected for me now

    Viruses found in the attached files.
    The file iTunes_certificate_797.zip: Virus found Trojan horse cryptic.NV . The attachment was moved to the Virus Vault.
    The file iTunes_certificate_797.zip: Virus found Trojan horse cryptic.NV . The attachment was moved to the Virus Vault.

    Checked by AVG – http://www.avg.com
    Version: 9.0.801 / Virus Database: 271.1.1/2849 – Release Date: 05/02/10 11:57:00

  9. becky says:

    I was on the apple web-site and was looking at itunes gift cards and my two year old clicked on the 50.00 card so when I saw the email for the gift card I thought maybe some how my two year old bought it, so I opened it. Now I can’t even get my computer to turn on. I’m not sure what to do with it now.

  10. Pingback: Are Apple giving away free money? Does anyone? « Robert James Maclese

  11. Sam Bell says:

    Thanks for the info. Got the email.

  12. Dave says:

    I recieved this email today. Went into the junk folder of my hotmail. Searched for the email title via google and your forum popped up. Thanks for the advice, haven’t opened it thankfully.

  13. Bev says:

    Thanks for your advice here. However, they are trying to keep ahead of the game.
    They are changing the email to try and confuse people!
    Attachment now named : Gift_Cerificate_641.zip
    Email address now just : certificate@itunes.com
    Message headers : from IP 111.193.148.254 – which is somewhere near Beijing in China
    Return email address : tackinessad81@conceive.com

  14. Anne says:

    Hey,

    I received one on my Mac this morning. My virusscan had deleted the exe.file. But there was also a zip.file attached. And I’m not sure if that can harm my Mac.
    Did not open it, but I think the e-mails change every time. The sender was ‘certificate@itunes.com’.

  15. LR says:

    Hm, a little hastily rewritten, and that last part of the explanation isn’t really meaningful in context, but I guess it will do. I’d give it a solid B-, nice improvement!

  16. BS says:

    They wrote the email saying that it sent to a different email address which was almost identicle to mine!

    A google warning said it was a virus

  17. likehellonearth@yahoo.com says:

    LR, you’re a dick

  18. me09 says:

    hello;I am a computer user and thanks for this valuable information.I hope that with my avg antivirus which i found in top ten best antiviruses best-antivirus.co/ the viruses will step away
    have a nice day

    • mxlab says:

      The web site you refer to, best-antivirus.info, seems nothing more than a web site that allows some products to get listed, contains banners and Google Ads. The text of the products does not imply why the software package is in the top 10 but is a pure marketing text. There are no user reviews, no screenshots and no direct links to the anti vendors web sites. Some links have some errors too like a Kaspersky download mirror or even the function ‘Add your own review’. From my opninion, this web site is fake.

  19. This is not a problem in most of cases with OSX itself or even Apple (as many people can say), but with people themselves and third part applications. As you know OSX is build with on BSD (most secure system), but also (by default) all ingeration into the system should be done with admin password. People most of the time don’t read this information. On the second way there is also problem with holes in Firefox, Adobe products which Apple doesn’t monitor.

    So in my opinion adding another anti-x software to the system is stupid idea (free or paid) because always Mac was a demon of speed and this type of software can stop this beast.

    Read my blog > Mac and Viruses

  20. Chris O'Brien says:

    Hi All,
    I am in Cape Town SA and have Just got this email as well
    “You have received an iTunes Gift Card Certificates in the amount of $50″

    So this thing is still going around.

    Thought I would check it out like I do most unsolicited emails.

    Thanks for a great site, appreciate the effort

  21. Blaine says:

    I didn’t open it but I got this bug today in my hotmail as well. This site just verified my suspicion. Thanks guys.

    BTW: Good input mxlab, I think most of us appreciate it.

  22. Shayla says:

    Love it

Follow

Get every new post delivered to your Inbox.

Join 432 other followers

%d bloggers like this: