New Bredolab trojan in the wild
August 13, 2010 5 Comments
MX Lab intercepted a new Bredolab trojan attached to emails with changing subjects and body content.
The following email subjects are being used:
Beauty and the Geek 2
First Birthday Invitation
fill this Passport form
In USA on August 15 and 16
Resume & Coverletter – Feedback
Status
Your reservation is confirmed – Ref: 12801/267373
The email body also changes with every new email version. Here are some examples:
Hi Joe,
I will be in USA on August 15, 16 and 17. I have a job interview on August 15 and available on August 16. I wonder if you and your partners will be available to catch up on any job prospect at your company.
I have attached my resume again with few changes.
Please let me know your availability. Thank you.
Best Regards,
Salvatore
Hello,
Thank you for making a booking through Allhotels
This voucher confirms that you have paid $ 1,100.00 as a deposit for the cost of the rooms and services detailed below. The guest must present this voucher, along with photo identification matching the guest name on this voucher, to the hotel on check-in.
The hotel will also ask for a valid credit card on check-in. This is to cover incidental expenses like meals, drinks, laundry, etc. Guests are responsible for payment of all extra charges direct to the hotel.
Please find the details in the attachment.
Hello All,
Please treat this as my personal invitation , Grace the occasion with your presence and bless my elder brother’s daughter on her first birthday.
Date: Sunday, August 15
Please find the venue details in the attachment.
Thanks,
Jordan Fish
Along with the subject and body content changes, the attached ZIP file also has different file names:
Resume.zip
invitation.zip
The attached ZIP archive is around 120 kB large, once extracted an .exe file is unpacked with the same name as the ZIP archive.
The trojan is known as Gen:Variant.Bredo.6 (Bitdefender), W32/Zbot.AN.test!Eldorado (F-Prot), W32/Trojan3.BXW (Authentium).
The following files will be created:
%Windir%\host32.exe
%Windir%\jh87uhnoe3\ewf32.nls
%Windir%\jh87uhnoe3\ewfrvbb.nls
The following directory will be created:
%Windir%\jh87uhnoe3
Several Windows registry modification are executed to the infected system.
At the time of writing, only 6 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 4150a1deee2bb6852095627df34defb3.
Shit I opened this zip file! What does it do and how do I remove it?
More subjects i think with same “content”
Another candidate brought to you
EBOD Meeting MEC Update
Garages
The malicious zip file attached to the emails “EBOD Meeting MEC Update” is in fact a new ZBot trojan. More information can be found in the blog post “New ZBot trojan in the wild” at http://blog.mxlab.eu/2010/08/13/new-zbot-trojan-in-the-wild/.
So what removals tools shall we use?
On the right side of the MX Lab blog you will find some links if you scroll down in the section Security tools.