mxlab - all about anti virus and anti spam

Emails regarding rejected ACH payment contains security risk

mxlab — Tue, 31 Jan 2012 19:08:02 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Rejected ACH transaction
Rejected ACH payment
Your ACH transfer
…

The email is send from the spoofed addresses like:

“\”The Electronic Payments Association\” risk.manager”@nacha.org
“\”The Electronic Payments Association\” alerts”@nacha.org
“\”The Electronic Payments Association\” risk”@nacha.org
“\”The Electronic Payments Association\” transfers”@nacha.org
“\”The Electronic Payments Association\” ach”@nacha.org
“\”The Electronic Payments Association\” payment”@nacha.org
…

The email has the following body:

The ACH transaction (ID: 02710822288793), recently sent from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transaction
Transaction ID: 02710822288793
Reason for rejection See details in the report below
Transaction Report report_02710822288793.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA – The Electronic Payments Association

A sample of the email:

The URLs for the transaction report are different and in some cases no longer valid. Some examples:

hxxp://minalimo.com/f9oYYmiY/index.html
hxxp://maerlipinte.ch/LaV4inWa/index.html
hxxp://hotel-sicily.it/aRpcdCjd/index.html
…

One of the URLs did give us a result: hxxp://ftp.samisalami.com/8KQZuSAy/index.html.

When investigating the HTML code of this web page we got the following:

WAIT PLEASE

Loading…

As you can see, some Javascripts are loaded when opening this web page. Some URLs to the javascripts are also obsolete but some of them returns the code: “document.location=’hxxp://sulusate.com/forum/index.php?showtopic=997439′;”.

The above URL gives us the web page with the following code:

33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAvlmrs”>

33wypywexi2gsq3jsvyq3pseh2tltCwls{jsvyqAsfi”>

When opening the URLs in a web browser – something we do not recommend to even try – you will get redirected to bing.com or another web site so you won’t see this code.

It seems that some javascript is obfuscated and that .jar files are involved here inside an applet. The risk is that these applets in java could contain malicious code. Ooo.jar is however related to OpenOffice but in this case it can also be used for phishing.

This email is a security risk – a virus or a phishing attempt – for sure so do not follow any URLs or open files.

Email “FedEx, Shipment Notification” with trojan in zip attachement

mxlab — Mon, 30 Jan 2012 21:56:31 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FedEx, Shipment Notification”.

The email is send from the spoofed address “FedEx ” and has the following body:

The attached ZIP file has the name FedEx-Shipment-Notification_GX3553U8-Jan2012.zip and contains the 200 kB large file FedEx-Shipment-Notification.exe.

The trojan is known as W32/Trojan3.DEC (F-Prot), Trojan-Spy:W32/Zbot.AVRN (F-Secure), Trojan-Dropper.Win32.Injector.clrk (Kaspersky), Trojan.Zbot (Sophos).

At the time of writing, only 11 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 28aba7221fe47882164fa45d9d63c58110b96b94d9b2291b692afaa7406c2e46.

Dutch emails with Report.zip attached contains trojan

mxlab — Fri, 20 Jan 2012 05:48:47 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the following possible subjects:

Fwd: Vertel de fiscus
Fwd: Niet in het derde kwartaal van dit jaar!
Informeer de belastingsdienst!
Order
Order #98314389
Re: adviser id: 586452.
Re: profile consultation id: 90616
The answer id: 79858
Your request id: 52018110.
…

The email is send from different spoofed addresses and has the following body:

Hallo
U moet de rekening betalen voor het einde van de week.
Details in de bijgevoegde documenten…

The attached ZIP file has the name Report.zip and contains the 41 kB large file Report.Docx____**____.exe (the filename contains many underscores to hide the .exe file type extension at the end).

The trojan is known as W32/Yakes.B!tr (Fortinet), UDS:DangerousObject.Multi.Generic (Kaspersky), Posible_Worm32 (TheHacker).

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5037236777f3d320482de732688243faa192ade3bcbbda57472407d7b1219cfe.

New year gift from Amazon sent by a friend contains malware

mxlab — Thu, 19 Jan 2012 16:48:07 +0000

MX Lab, http://www.mxlab.eu, intercept a few samples of a new trojan found in emails with the subject ”A friend just sent you a new year gift from amazon” sent from the spoofed address “amazon seller ”.

The email has the following body:

Good day,
We are to inform you that someone just sent you a gift from amazon.com,
below is the recipt kindly open and track the order. Wishing you a lovely year ahead.
Best regards,
Amazon.com

The malware is approx. 221 kB large and listens to the name file4402_fdp.exe.

The trojan is known as Win32:Malware-gen (Avast), Trojan.Win32.VBKrypt.imoz (Kaspersky), Artemis!798A4ABB09D7 (McAfee), Mal/Generic-L (Sophos).

At the time of writing, 24 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 40bbaa3e93e50dbdc2b615ae383c3c36c0ab358c311a39efaf6c1246b71ef903.

Spam in fake LinkedIn messages

mxlab — Thu, 19 Jan 2012 16:30:24 +0000

MX Lab, http://www.mxlab.eu, has noticed a large spam campaign on behalf of the Canadian Family Pharmacy in fake LinkedIn messages.

The messages come the spoofed email address with the authors like:

Fenella  Macdonald via LinkedIn 
Catriona  Bailey via LinkedIn 
Susan  Jones via LinkedIn 
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

Buy Viagra Online – Online Pharmacy

#1 Online Pharmacy

Online DrugStore
Buy Viagra Online

In return, the redirect points to hxxp://viagralevitratestosterone.com.

Emails with subject “FDIC: About your business account” contains new trojan

mxlab — Tue, 10 Jan 2012 11:23:31 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FDIC: About your business account QHOFB1Z84963″ (the combination at the end will change with each email).

The email is send from the spoofed address “Federal Deposit Insurance Company ” and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
Tue, 9 Jan 2012 12:11:34 +0100

FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
3501 Fairfax Drive
Arlington VA 22226
877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-JAN2012-223588.zip and contains the *** kB large file FDIC_Information_About-your-business-account-Jan-2012.exe (numbers will change)

The trojan is known as PWS-Zbot.gen.ma (McAfee), Trj/Zbot.L (Panda), Mal/Zbot-EZ (Sophos) and UDS:DangerousObject.Multi.Generic (Kaspersky).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5:4d9e26f544458084261d715a44d13e03.

Have a safe 2012!

mxlab — Wed, 28 Dec 2011 23:50:44 +0000

“I’m in trouble!” email malware distribution attempt

mxlab — Thu, 22 Dec 2011 21:17:07 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fwd: I’m in trouble!”.

The email is send from various spoofed addresses and has the following body:

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Asmita

Fingerprint: c72d5b3c-af1af1a5

At the end of the message there is a fingerprint code but don’t be filled by that. This is not a real proof that this message is secure and safe to use.

The URL behind ‘Here is the photo’ will lead to a site where a redirect is a place to the malware payload. The URL can be identified quite easily because they are fairly long, will point to servers where blogs are hosted and quite often have what appears random characters and variables inside.

An example:

hxxp://newflight.info/wp-content/themes/twentyten/wvfou.htm?
GAJLZP=Y73TY9V&SS4C24F=1H9F0COJCVB2P8FAVJL&Z208W=116AEU0Z&XC8C
=3I1MPP6A2K42K&BO77Z=67QUD1YRE9QF11FV&04T9Z=4942YY7N&KMLD=HUKYAXRX7AUD5R4UK&"

These pages will continue with a redirect, embedded in an iframe HTML tag, to for example hxxp://cgredret.ru/main.php.

MX Lab recommend not to follow any of the embedded URLs.

Account Activity Notification with attached ZIP file contains a trojan

mxlab — Wed, 21 Dec 2011 16:35:22 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Account Activity Notification 2419060820NJ” – the number and letters will vary.

The email is send from the spoofed address “Account Support” and has the following body:

An Account Activity Notification you created has detected that the
following transaction has posted as of 12/19/11. The detail information
associated with the transaction is as follows:

Account: XXXXXX5693

Transaction Description: Incoming Wire Transfer
Amount: $087,390.45
Type: Credit
Reference Info: 1453328649OS
Availability: Immediate

PLEASE REFER TO ATTACHED FORM FOR MORE DETAILS

CONFIDENTIALITY NOTICE: This electronic mail transmission may contain
legally privileged, confidential information belonging to the sender. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or taking any action based on the
contents of this electronic mail is strictly prohibited. If you have
received this electronic mail in error, please contact sender and delete
all copies.

The attached ZIP file has the name Account_Update_Notification_12192011-71714.zip and contains the 210 kB large file Account_Update_Notification_12192011.exe. The filenames will vary with each email.

The trojan is known as Trojan.Win32.Heur.Gen (ByteHero) or PWS-Zbot.gen.ma (McAfee).

At the time of writing, only 2 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09707085eb9812202ba72a1c6f6c5f4a.

Emails with URL that contains /docdown/ will download malware

mxlab — Thu, 08 Dec 2011 00:59:22 +0000

MX Lab, http://www.mxlab.eu, is intercepting emails with a potential dangerous URL embedded in the body of the email. The URL includes the part /docdown/ and will refer to an online ZIP file.

Subjects will vary, the email is send from different spoofed addresses and here we have some samples:

Goeie morgen,

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.quattro-stagioni.it/docdown/Factuur.zip?idinvoice=1615847338768Firma=ontario583@csk-rijssen.nl

We zijn blij om samen te werken in de toekomst.

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.sanseverocommunity.com/docdown/Factuur.zip?idinvoice=27043890762Firma=info@bloemex.nl

The trojan is known as Artemis!6287782884ED (McAfee), Downloader.Dromedan (Symantec), Trojan.Win32.Yakes (Ikarus), Trojan.Generic.7001815 (BitDefender).

At the time of writing, 37 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 6287782884edba7ca26df03942798739.