New Bredolab trojan variants in DHL and UPS tracking emails

January 19, 2010 by mxlab 9 Comments

MX Lab intercepted several email messages with new Bredolab trojan variants in the traditional style: emails regarding the tracking of a parcel. We noticed new campaigns using the DHL and UPS tracking style. We will cover them both in this article at the same time.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** <services@ups.com> (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** <services@dhl.com> (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

Filed under Viruses Tagged with , , , , ,

New ZBot trojan detected in UPS tracking emails

May 27, 2009 by mxlab 1 Comment

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

Filed under Viruses Tagged with , , , ,

New UPS trojan detected: TrojanSpy.ZBot.DGI

March 2, 2009 by mxlab 2 Comments

Posting updated on 10 March 2009. Read the new information at the end of this posting.

MX Lab intercepted a  few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service <tracking@ups.com>”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.

Filed under Viruses Tagged with , , , ,

New UPS trojan variant: Delivery problems

January 11, 2009 by mxlab 8 Comments

A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service <tracking@ups.com>.

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

Filed under Viruses Tagged with , , ,

UPS Postal Service trojan still active

November 25, 2008 by mxlab 1 Comment

In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.

The emails hasn’t changed much, the subject is “Your Tracking # 877874077711″ (where the number is dyanimc and changes often) and the content of the body:

Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS

The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.

VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.

Filed under Viruses Tagged with , , ,

FedEx Tracking number trojan

August 9, 2008 by mxlab 19 Comments

MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.

The content of the email has the same characteristics as the UPS trojan:

Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your FedEx

The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.

Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.

Filed under Viruses Tagged with , , , ,

UPS Tracking number trojan – another variant and Hallmark e-card

July 23, 2008 by mxlab 5 Comments

There is a new variant of the UPS Tracking number trojan on route. The subject is now “[RE] UPS Tracking Number 7056968807″ but the contents remains the same. The URL that is used by the trojan is slightly different, the host remails the same, the folder structure and the .bin file on the site is different: http://***********.ru/offshore/denis.bin. The number in the subject and file can be random.

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

Filed under Spam, Viruses Tagged with , , , , , , , , ,

UPS Tracking number trojan – new variant

July 21, 2008 by mxlab 36 Comments

Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus Version Last Update Result
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 -
Authentium 5.1.0.4 2008.07.21 -
Avast 4.8.1195.0 2008.07.21 -
AVG 8.0.0.130 2008.07.21 -
BitDefender 7.2 2008.07.21 -
CAT-QuickHeal 9.50 2008.07.21 -
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 -
eSafe 7.0.17.0 2008.07.21 Suspicious File
eTrust-Vet 31.6.5971 2008.07.21 -
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 -
F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 -
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5343 2008.07.21 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 -
Panda 9.0.0.4 2008.07.21 -
PCTools 4.4.2.0 2008.07.21 -
Prevx1 V2 2008.07.22 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2
VirusBuster 4.5.11.0 2008.07.21 -
Webwasher-Gateway 6.6.2 2008.07.21 -

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

Filed under Viruses Tagged with , , , , , , ,

UPS Tracking number trojan

July 20, 2008 by mxlab 46 Comments

When you receive an email from UPS regarding a package that can’t be delivered due to an incorrect recipients address you better watch out. The chance is very likely that this is a new variant of a trojan trying to get your attention and to infect your computer.

 null

The messages contains the text:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file.  This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.

Here are the complete results from Virus Total:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.1.11 2008.07.20 -
Authentium 5.1.0.4 2008.07.20 W32/Agent.HFN
Avast 4.8.1195.0 2008.07.20 -
AVG 8.0.0.130 2008.07.19 Dropper.Generic.VGK
BitDefender 7.2 2008.07.20 -
CAT-QuickHeal 9.50 2008.07.18 -
ClamAV 0.93.1 2008.07.20 -
DrWeb 4.44.0.09170 2008.07.20 -
eSafe 7.0.17.0 2008.07.20 Suspicious File
eTrust-Vet 31.6.5966 2008.07.18 -
Ewido 4.0 2008.07.20 -
F-Prot 4.4.4.56 2008.07.20 W32/Agent.HFN
F-Secure 7.60.13501.0 2008.07.20 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.20 -
GData 2.0.7306.1023 2008.07.20 -
Ikarus T3.1.1.34.0 2008.07.20 Trojan-Dropper.Win32.Delf.aef
Kaspersky 7.0.0.125 2008.07.20 -
McAfee 5342 2008.07.18 -
Microsoft 1.3704 2008.07.20 -
NOD32v2 3282 2008.07.19 -
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.20 -
Prevx1 V2 2008.07.20 -
Rising 20.53.62.00 2008.07.20 -
Sophos 4.31.0 2008.07.20 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.20 -
TheHacker 6.2.96.385 2008.07.19 -
TrendMicro 8.700.0.1004 2008.07.18 -
VBA32 3.12.8.1 2008.07.20 -
VirusBuster 4.5.11.0 2008.07.19 Packed/Pohernah
Webwasher-Gateway 6.6.2 2008.07.20 Win32.Malware.gen#ASPack (suspicious)

Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.

Filed under Viruses Tagged with , , , , , , ,