New Bredolab variants in the wild

August 2, 2010 Leave a Comment

MX Lab intercepted some new Bredobal variants in different messages.

“Report” emails

The first messages is with the subject “report” send from a spoofed email address. The body of the email is very short:

see my report in attach

The email contains the file report.zip which is a ZIP archive with the 16 kB large file report.exe.

The trojan is known as W32/Bredolab.FZ (Authentium), Email-Worm:W32/Waledac.HZ (F-Secure), W32/Bredolab.B!genr (Norman).

At the time of writing, only 9 of the 41 AV engines at Virus Total detect the trojan. Virus Total permlink and MD5: 98f75f039cf618a72ec5074481c0a9a2.

“Review your annual Social Security statement” emails

The messages has the subject “Review your annual Social Security statement” and also comes from spoofed email addresses.

The body of the email:

Due to possible calculation errors, your annual Social Security statement may contain errors.

Open attached file to review your annual Social Security statement.

The email contains the file statement.zip which is a ZIP archive with the 16 kB large file statement.exe.

The trojan is known as W32/Bredolab.FX (Authentium), Gen:Trojan.Heur.FU.amW@aWPlGEii (F-Secure), W32/Bredolab.B!genr (Norman), Trojan.Win32.FakeAV (Ikarus), Sophos (Mal/FakeAV-EE).

At the time of writing, only 15 of the 41 AV engines at Virus Total detect the trojan. Virus Total permlink and MD5: 5b2ad2b93e88b4743221e28ead12475d.

Filed under Viruses Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 109 other followers