New trojan variant in emails with subject “DHL Delivery Notification Message”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Delivery Notification Message  5SE1M4FDO07A6DKVL” – the combination of letters and numbers may change.

The email is send from the spoofed address “DHL Express <noreply@dhl.com>”and has the following body:

DHL Express Tracking Notification: Wed, 30 Nov 2011 01:16:39 +0200

Custom. Reference: TF2APLTEGGQAN 65290
P. Tracking Number: 4830615 NM7WEPS48CR5L
Pickup Date: Wed, 30 Nov 2011 01:16:39 +0200
Service: SEA
Pieces: 2

Wed, 30 Nov 2011 01:16:39 +0200 – Processing complete
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.

Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track

Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks,
DHL Express International.

The attached ZIP file has the name Delivery–Tracking–Notification–DHL–EXPRESS–0ZZICVEE.zip and contains the 203 kB large file Delivery_Tracking_Notification-nov2011_DHL-EXPRESS-INTERNATIONAL.exe.

The trojan is known as W32/Trojan3.DBV (F-Prot), PWS-Zbot.gen.hb (McAfee), Troj/Bredo-MM (Sophos).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 81cdcd438efe2bad7d4c91d53b64c3a0.

Rabobank phishing emails with attachment


MX Lab, http://www.mxlab.eu, intercepted a phishing campaign with the subject “ACCOUNT ACTIVEREN” that targets Rabobank users. The emails are sent from the spoofed emailaddress “Rabobank <service@aupairconnect.com>” and have the following body in Dutch:

Amsterdam Code :

007498.

Geachte Rabobank. klant,

Rabobank is niet in staat om uw rekening te verifieren.

Uw rekening moet zo snel mogelijk gecontroleerd worden.

Uw kunt dit doen door de onderstaand link te download met ur system.

Opmerking: U zal gecontacteerd worden door een van onze medewerkers van Rabobank voor meer informatie over dit nieuwe systeem.

Hoogachtend,

Customer Service,

Rabobank.

*Belangrijk*

Werk uw administratie op of voor 48 uur, een gebrek aan uw administratie bij te werken zal resulteren in een tijdelijke greep op uw geld.

© 2011 Rabobank. N.V. Nederland? . All rights reserved.

The email comes with an attachment named Activeren.html and this HTML files contains a web form that will submit the details to the host hxxp://www.paminklaita.lt/images/go.php.

As always, MX Lab advises not to fill in any details when receiving emails from your bank with HTML attachments included.

Order confirmation by email contains download URL that leads to malware


MX Lab, http://www.mxlab.eu, reported yesterday regarding emails with an embedded URL that leads to malware in messages regarding a new price list.

Today, we are intercepting a new variant of this campaign but instead of a price list the content is regarding an order confirmation. The messages are sent in English or in the Dutch language. Each URL leads to the file /downloads/Document.zip.

Possible subjects are:

Re: adviser  id: 7356847
Request id: 71066294.
Bestel id 170-6513
Bestel N 841-5282

The email is send from the spoofed addresses and has the following body:

Gruss Gott, carmen.

Your order has been accepted.

Order id: 83435991.

Terms of delivery and the date can be found with the auto-generated msword file
located at:
hxxp://www.radixweb.eu/downloads/Document.zip?Hashcliente=carmen@robpeetoom.nl

==
Tel./Fax.: +31 (0)346 529 64 40

Gruss Gott, ****@****.nl.

Thank you for the order,
id: 862446.

Your credit card will be charged for 638 dollars.

Information about the order and delivery located at:

hxxp://www.shancommunity.org/downloads/Document.zip?Hashcliente=contact@robpeetoom.nl

____________________________
Best regards, ticket service.
Tel./Fax.: +31 (0)346 542 41 05

Uw bestelling is geaccepteerd.
Bestel id 170-6513.
Leveringsvoorwaarden en de datum kan worden gevonden met een zelf gegenereerde PDF-bestand
te vinden op: hxxp://www.dfrmontaggi.it/downloads/Document.zip?n=170-6513
Met de beste wensen.

Uw bestelling is geaccepteerd.
Bestel id 841-5282.
Leveringsvoorwaarden en de datum kan worden gevonden met een zelf gegenereerde PDF-bestand
te vinden op: hxxp://www.virgendeflores.es/downloads/Document.zip?n=841-5282
Met de beste wensen.

The trojan is known as W32/Yakes.B!tr (Fortinet), Generic FakeAlert.fz (McAfee), Worm:Win32/Gamarue.B (Microsoft), W32/Kryptik.ATI (Norman), Trojan/Win32.Yakes (AhnLab-V3) or as a variant of Win32/Kryptik.VYH (NOD32).

The following files will be created:

%AllUsersProfile%\Local Settings\Temp\d928fffd000226d7.exe

The following directories are created:

%AllUsersProfile%\Local Settings
%AllUsersProfile%\Local Settings\Temp

New processes are created on the system:

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

195.214.238.241
88.222.0.5

Data can be obtained from following URLs:

hxxp://heppishopdrm.ru/ice1/image.php
hxxp://www.sta.lt/smile023666.exe

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 602f9f68c5c1823fddd45226ed05c742.

[UPDATE]

The campaign already changed and is now sent with the following possible subjects:

Mistaken admission of money.
Refund. 392 euros.
Statement cash flow in your account.
Enrollment of money.

Some examples of the body:

Hello!
Your account has received two transaction by 392 euros.
Second transaction was accepted by mistake.

Please read this information carefully:
hxxp://www.miteaspa.it/downloads/Document.zip?i=994-43826

Hello!

Your account has received two transaction by 90 euros.
Second transaction was accepted by mistake.

Please read this information carefully:

hxxp://www.grafichelb.it/downloads/Document.zip?a=55365

We hope to collaborate in the future.

Greetings!

Your account has received two transaction by 342 euros.
Second transaction was accepted by mistake.
Please read this information carefully:
hxxp://www.thegrassisgreener.net/downloads/Document.zip?n=7660491

With best wishes.

Hello!
Your account has received two transaction by 59 euros.
Second transaction was accepted by mistake.

Please read this information carefully:
hxxp://www.kellylarsonsales.com/downloads/Document.zip?n=9790108

We hope to collaborate in the future.

Email with new price list contains an URL that downloads a trojan


MX Lab, http://www.mxlab.eu, has intercepted a sample of a new trojan that is downloaded through email.

The email is send from the spoofed address, comes with the subject “Bericht” and has the following body:

Gedwongen wijzigt u de hoogte van de tarieven voor diensten van onze firma,
veroorzaakt door de algemene economische situatie en de daling van de euro *.
Gelieve deze te behandelen met begrip en blijven om met ons samen te werken in hetzelfde volume.
Prijs met nieuwe prijzen kunt u hier downloaden:
hxxp://www.miteaspa.it/downloads/Document.zip

* In overeenstemming met paragraaf 6.7.2 van het contract, ons bedrijf heeft het recht om te veranderen
vergoedingen voor diensten eenzijdig, gevolgd door kennisgeving aan de klant.

The email is poorly written in Dutch and includes an URL to download a ZIP file and once extracted shows the 46 Kb large file Document.Doc____**more underscores**___.exe.

The trojan is known as W32/Yakes.B!tr (Fortinet), Generic FakeAlert.fz (McAfee), Worm:Win32/Gamarue.B (Microsoft) or as a variant of Win32/Kryptik.VYH (NOD32).

The following files will be created:

%AllUsersProfile%\Local Settings\Temp\5fbdfffe0001a042.exe

The following directories are created:

  • %AllUsersProfile%\Local Settings
  • %AllUsersProfile%\Local Settings\Temp

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 60.19.30.135 on port 80.

Data can be obtained from following URL: hxxp://heppishopdrm.ru/ice1/image.php

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 172e583905950da35a194fadf728ac6a.

Different versions of ABN AMRO phishing email in circulation


MX Lab, http://www.mxlab.eu, detected different versions of ABN AMRO phishing emails that are in circulation on a daily base targeting Dutch ABN AMRO bank account users.

ABN AMRO Systeembeveiliging

The first variant, with a very good lay out and style, comes with the subject “ABN AMRO Systeembeveiliging” or “ABN AMRO Systeembeveiling” and is sent from the spoofed email address “ABN AMRO NV <customercare@abnamro.nl>”.

This will redirect you to hxxp://www.clumber.net/abnamro/abn.html.

When filling in al the details a redirect to the real ABN Amro is executed.

Belangrijk bericht van ABN AMRO Bank

The second variant comes with the subject “Belangrijk bericht van ABN AMRO Bank” and is sent from the spoofed email address “ABN AMRO Bank <klant.services@abnamro.nl>”.

Beveiliging Message Alert van ABN AMRO Bank

Another variant comes with the subject “Beveiliging Message Alert van ABN AMRO Bank” and is sent from the spoofed email address “ABN AMRO BANK <customer.services@abnamro.nl>”.

Installatie mijn ABN AMRO Bank

This one comes with the subject “Installatie mijn ABN AMRO Bank” and is sent from a random spoofed email address.

This one will redirect you to hxxp://70.38.120.162/~abnsecbk/secure/.

ABN-AMRO BANK

This last one comes with the subject “Belangrijk Nieuws Mijn ABN-AMRO Bank” and is sent from a random spoofed email address.

Trojan masked as a FedEx Agent File Form


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

FedEx: AGENT FILE FORM, Fri, 18 Nov 2011 08:55:14 +0900
FedEx: New Agent File Form, trackid: DFP0W0G3ETL62005

The email is send from the spoofed address “FedEx Express <noreply@fedex.com>” and has the following body:

The FedEx Export AgentFile form replaces the paper SED which is no longer required by the US government. All EEI shipments must be filed electronically with the government prior to tendering the shipments to FedEx. For all future shipments that require an EEI, please complete and sign the attached form and fax it to (866) 879-9037 or you may email your request to mem-agentsed@mail.fedex.com. An ITN (internal transaction number) provided by the government will be communicated to you via your choice of: phone, email or fax. The ITN must be written on your AWB or label. The ITN indicates that the shipment has been submitted to the government and approved to export.

Also, listed below for your convenience is the US government website for Schedule B numbers. Should there be any doubt of the commodity number being provided on the SED Agent File form, please taken advantage of this valuable resource.

Thank you for choosing FedEx,

Manifesting Ops Asst.
FedEx Express
EEI Department/AES Processing
2927 Southwide Bldg B
Memphis, Tennessee 38118
Tel: 866 352-3252 (Opt. 2)
Fax: 866 879-9037

The attached ZIP file has the name FedEx-AgentFile-Form-nov-2011-8447.zip and contains the 190 kB large file FedEx-AgentFileForm.exe.

The trojan is known as Spyware/Win32.Zbot (AhnLab-V3),  Artemis!01CD13A561FF (MacAfee), WS.Reputation.1 (Symantec)

At the time of writing, only 5 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 01cd13a561ff5396604b8718e911b49f.

Email with information about an ACH debit transfer created on your behalf leads to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects:

ACH debit transfer was hold by Yolo Community Bank
ACH payroll payment was not accepted by Central Trust and Savings Bank
ACH Transfer was not accepted by Eldorado Bank
ACH debit transfer was hold by The Mechanics Bank
Funds transfer was hold by our bank

The email is send from different spoofed addresses and has the following body:

Dear Madam / Sir,

I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.

Transaction ID: 17036653478735
Current status of transaction: on hold

Please review transaction details as soon as possible.

Theodore Parham
Payments Administration
Central Trust and Savings Bank

Dear Sir or Madam,

ACH debit transfer created by you or on your behalf was hold by Yolo Community Bank.

Transaction ID: 170038559047
Current status of transaction: on hold

Please review transaction details as soon as possible.

J. J. Shapiro
Payments Administration
Yolo Community Bank

When following the URL under ‘review transaction details’ will lead you to sites like:

hxxp://openmindcomputech.com/zfin.html
hxxp://www.ebappcc.com/zfin.html
This is merely a redirection and will bring you to a host where the malware is hosted. A screen is provided in order to download and install the Adobe Flash Player.
 
The downloaded file has the name update flash.exe and is 233 kB large.

The trojan is known as ***

The following files will be created:

%AppData%\Efoxq\ozabp.ugu
%AppData%\Efoxq\ozabp.ugu.0
%AppData%\Igobig\ziywe.exe
%Temp%\tmp7f99c3f9.bat

The following directories are created:

%AppData%\Efoxq
%AppData%\Igobig

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.

At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: c5d161117328f8101f92442f19dbc96e.

Increase your security with the MX Lab services at a special promotion price!


Increase your security with the MX Lab services at a special promotion price until 31 December 2011!

MX Lab offers it’s zero hour anti virus, managed anti spam and email archiving services at a lower price of € 7 per user per year*, a huge € 2 per user discount, and the great news is that you only need to request a 15 day trial and change your MX records to make use of our service.

Our special promotion price also affects our other services like Email Archiving or the Hosted solutions. Visit our web site for a full pricing overview.

Request your 15 day trial today!

Are you active as an IT solutions provider and want to offer the MX Lab services to your clients? Do not hesitate to contact us and join the MX Lab Partner Program and benefit for the special pricing as well!

* MX Lab offers its services at a special promotion price until 31 December 2011. In order to obtain the promotion you will need to request a 15 day trial and use the trial account by modifying your MX records in order to use the MX Lab service. Each trial that is converted in a subscription at the end of the trial will benefit of the special lower price for one year.

Email with Adobe license key attached contains a trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your InDesign CS4 License key”.

The email is send from the spoofed address “Adobe <help-no.146@adobe.com>” and has the following body:

Hello,

Your Adobe CS4 License key is in attached document below.
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The attached ZIP file has the name License_key_N7853.zip and contains the 47 kB large file License_key.exe.

Please note that the from email address, the subject, content and name of the attached file can change accordingly.

The trojan is known as Troj/Bredo-LK (Sophos), W32/Yakes.F.gen!Eldorado (F-Prot), Downloader.Chepvil (Symantec).

At the time of writing, only 7 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09ecaf9fd2f4d7d42b0b4fde0f53b21e.

Follow

Get every new post delivered to your Inbox.

Join 291 other followers