New trojan variant in mails with “Look my CV. Thank you!”
June 14, 2010 10 Comments
MX Lab intercepts a new trojan variant in emails with the subject “Look my CV. Thank you! MyID NR4557547.”.
Possible subject are:
Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.
The number at the end of the subject is choosen randomly and the from email address is spoofed.
The body of the email:
Good day.
I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,Looking forward to your reply.
Thank you.
The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.
The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).
The following files are created:
%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll
The following modules are loaded into the address space of other processes:
%Windir%\atapsrb.dll:
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000
%Windir%\atapsrb.dll::
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000
%Windir%\atapsrb.dll::
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000
Several Windows registry modifications are created and the trojan attempts to establish a connection with the following IPs on port 80:
195.78.109.6
212.78.71.81
95.211.98.246
Data is downloaded from the following hosts:
- hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
- hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
- hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe
At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.
The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).
The following files are created:
%Windir%\dsmd32.dll
The following modules are loaded into the address space of other processes:
%Windir%\dsmd32.dll:
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000
%Windir%\dsmd32.dll:
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000
Several Windows registry modifications are created and the trojan attempts to establish a connection with the IP 95.211.98.246 on port 80.
13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.
Pingback: New trojan variant in mails with “Look my CV. Thank you!” | Computer Security Articles
Pingback: Speed Max PC
I have had this email so many times is there a good spam software for outlook that will stop these?
GAWH! I hate this e-mail! I’ve received this so many times it’s getting frustrating!
have had this email as well
I had this show up from a drive-by download on an innocuous website, not from an email.
This one is very common, from far east, look out
This has been hitting our corporate network but it is easier to spam this one out
how to filter these type of emails?
Being a bit commercial now but you can use MX Lab – for more information http://www.mxlab.eu/ – with the zero hour anti virus technology.
Get a good anti virus software package with very fast new virus detection rates and also important virus definitions updates. If your current anti virus software does not intercept the trojan then you could try an anti virus product from a different vendor. But unfourtunatly, in some cases, it won’t help as we often notice when sending virus samples to Virus Total.
You can of course filter on subject, spoofed address or the names of the attachments. Very simple and very effective until a new email format comes out with different subjects or attachment names.
More important, it will not cost you anything, if you receive a suspicious looking email with attachments, wether it’s a zip file, html file or anything else, do not open it. It’s that simple to avoid virus infections.