Messages with the YouSendIt Reader contains the Bredolab trojan


After our first report earlier today of the YouSendIt abuse that leads to a malicious payload and spam web site, MX Lab now intercepted messages with the subject “You have received a file from fudgeupte7@randoripartners.com via YouSendIt.” and the attachment YouSendIt_reader.zip.

The email address is spoofed and the email address in the subject line will change according to the from address.

The body of the email:

Maryellen Meier has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy

1919 S. Bascom Ave., Campbell, CA 95008

The message has the attachment YouSendIt_reader.zip. Once extracted, the 20 kB large file YouSendIt_reader.exe is available.

The trojan is known as Gen:Variant.Bredo.2 (BitDefender, F-Secure, GData), TrojanDownloader:Win32/Waledac.C (Microsoft).

The following files are created:

%AppData%\1410506.exe
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

New processes are created:

Process Name: 1410506.exe
Process Filename: %AppData%\1410506.exe

Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe

Process Name: 1410506.exe
Process Filename: %UserProfile%\LOCALS~1\APPLIC~1\1410506.exe

Several Windows registry modificatiosn are being made to the infected system and the trojan can establish an connection to the IPs 77.78.249.2 and 85.234.191.111 on port 80.

The trojan will also connect to the URL hxxp://77.78.249.2/cb_soft.php?q=a4867e4e00d394bf25ae3835341f22e3

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the treath.Virus Total permlink and MD5: 79be5ebc9659f2c4e2e85cdd3464720d.

2 Responses to Messages with the YouSendIt Reader contains the Bredolab trojan

  1. Kenneth says:

    i got 2 of those e-mails today. I was told to open it and now I am working off a different computer. The virus does not allow you to open task manager or online options. A very dangerous virus. it just keeps on running and adding and cannot delete it when its running.

  2. Harry says:

    I’ve had a lot of these, starting about 18:00GMT yesterday and to more than one username.

    They’re recognisable as suspicious by the fact that they contain the file in an attachment to the email. This is not how yousendit works — the whole point of yousendit is to deliver files without them going via email. A proper yousendit message would contain only a notification of file arrival and the recipient would have to visit yousendit to collect the file.

Follow

Get every new post delivered to your Inbox.

Join 291 other followers

%d bloggers like this: