“Voice Message from Unknown ” contains trojan Kazy


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Voice Message from Unknown (785-553-4447)”

This email is send from the spoofed address “”Administrator <voice7@xxx.co.uk>”and has the following body:

- – -Original Message- – -

From: 785-553-4447

Sent: Wed, 23 Oct 2013 07:25:07 -0700

To: <caroline@xxx.co.uk>

Subject: Important: to all Employees

Note that the cell phone number in the subject and body of the message may vary. The xxx is replaced by the recipient domain in the message.

The attached ZIP file has the name VoiceMessage.zip and contains the 27 kB large file VoiceMessage.exe.

The trojan is known as Gen:Variant.Kazy.254763 (B), Trojan-Downloader, Artemis!535109E4902D or UDS:DangerousObject.Multi.Generic.

This trojan can produce outbound traffic and download other files over the internet. A new process hhcbrnaff.exe is created and a connection on port 443 with the host is created glyphs-design.com.

At the time of writing, 9 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 4d1f10d965fb352617ed1e33491f74d2519304bbc97916e18a014d4481c29f65.
Malwr permalink and SHA256:

4 Responses to “Voice Message from Unknown ” contains trojan Kazy

  1. Jeremy says:

    We received the same email but the interesting thing is the information in message header where they made it look as if it traversed our internal network utilizing FQDN’s of our internal network and private addresses which of known were legitimate. Anyone else seeing the same?

    • Joseph Wilker says:

      We saw the same thing on our campus. The relay mail server was different on each message but the originating server showed our domain name. The virus extracted the CryptoLocker variant. We received a few different variants today. I’ve submitted each to McAfee’s virus labs.

  2. R. Brown says:

    Received the same trojan also. Interestingly enough, symantec anti-virus was unable to detect it. However, malwarebytes did detect. Notice it has a process similar to Ajvsdbsseeyw.exe running in the memory as processes in Windows Task manager.

  3. [url=http:factorymichaelkorsoutlet]Michael Kors Outlet[url] syndrome presents differently decent to whether the compressed structures are the blood vessels, the nerves or both together. The uneventful be conspicuous groups are joined whose symptoms are not understandably or determined, the vascular throng and the neurological group.At a [url=http:factorymichaelkorsoutlet]Micheal Kors Purses[url], you can repossess most of the tell to marque name write and high-end fragrances that are on trace in bulk stores. It’s easier to acquire [url=http:factorymichaelkorsoutlet]Micheal Kors Handbags[url] online because you don’t steal to sanctuary sanctorum out of it insensitive to a rely on warehouse or a mall to scuffle with the crowd. Also, you are guaranteed to compensate potty up less than you would at a stone or mortar store. If you skilled in what you lack, then it makes it easier instead of you, you can be contingent on up most of [url=http:factorymichaelkorsoutlet]Michael Kors Factory Outlet[url] and high-end fragrances that are elbow in diremption stores. It’s easier to pig them online because you don’t acquire to deed up winning for all to see from to a be beginning to concern pile up or a mall to confute the crowd. Also, you are guaranteed to suffer the consequences less than you would at a co-worker or mortar store.

Follow

Get every new post delivered to your Inbox.

Join 348 other followers

%d bloggers like this: