Fwd: Vertel de fiscus
Fwd: Niet in het derde kwartaal van dit jaar!
Informeer de belastingsdienst!
Order
Order #98314389
Re: adviser id: 586452.
Re: profile consultation id: 90616
The answer id: 79858
Your request id: 52018110.
…

The email is send from different spoofed addresses and has the following body:

Hallo
U moet de rekening betalen voor het einde van de week.
Details in de bijgevoegde documenten…

The attached ZIP file has the name Report.zip and contains the 41 kB large file Report.Docx____**____.exe (the filename contains many underscores to hide the .exe file type extension at the end).

The trojan is known as W32/Yakes.B!tr (Fortinet), UDS:DangerousObject.Multi.Generic (Kaspersky), Posible_Worm32 (TheHacker).

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5037236777f3d320482de732688243faa192ade3bcbbda57472407d7b1219cfe.

The email has the following body:

Good day,
We are to inform you that someone just sent you a gift from amazon.com,
below is the recipt kindly open and track the order. Wishing you a lovely year ahead.
Best regards,
Amazon.com

The malware  is approx. 221 kB large and listens to the name file4402_fdp.exe.

The trojan is known as Win32:Malware-gen (Avast), Trojan.Win32.VBKrypt.imoz (Kaspersky), Artemis!798A4ABB09D7 (McAfee), Mal/Generic-L (Sophos).

At the time of writing, 24 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 40bbaa3e93e50dbdc2b615ae383c3c36c0ab358c311a39efaf6c1246b71ef903.

The messages come the spoofed email address <member@linkedin.com> with the authors like:

Fenella  Macdonald via LinkedIn <member@linkedin.com>
Catriona  Bailey via LinkedIn <member@linkedin.com>
Susan  Jones via LinkedIn <member@linkedin.com>
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

<html><head><title>Buy Viagra Online – Online Pharmacy</title><style type=”text/css”> a { font-size: 24pt; } </style><script type=”text/javascript”>var a = “hxxp://viagralevitratestosterone.com”;window.location = a;</script></head><body><center><h1>#1 Online Pharmacy</h1><br>Online DrugStore<br><a href=”hxxp://viagralevitratestosterone.com”>Buy Viagra Online</a></center></body></html>

In return, the redirect points to hxxp://viagralevitratestosterone.com.

The email is send from the spoofed address “Federal Deposit Insurance Company <convened@fdic.gov>” and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
Tue, 9 Jan 2012 12:11:34 +0100

---

FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
3501 Fairfax Drive
Arlington VA 22226
877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-JAN2012-223588.zip and contains the *** kB large file FDIC_Information_About-your-business-account-Jan-2012.exe (numbers will change)

The trojan is known as PWS-Zbot.gen.ma (McAfee), Trj/Zbot.L (Panda), Mal/Zbot-EZ (Sophos) and UDS:DangerousObject.Multi.Generic (Kaspersky).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5:4d9e26f544458084261d715a44d13e03.

The email is send from various spoofed addresses and has the following body:

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Asmita

Fingerprint: c72d5b3c-af1af1a5

At the end of the message there is a fingerprint code but don’t be filled by that. This is not a real proof that this message is secure and safe to use.

The URL behind ‘Here is the photo’ will lead to a site where a redirect is a place to the malware payload. The URL can be identified quite easily because they are fairly long, will point to servers where blogs are hosted and quite often have what appears random characters and variables inside.

An example:

hxxp://newflight.info/wp-content/themes/twentyten/wvfou.htm?
GAJLZP=Y73TY9V&SS4C24F=1H9F0COJCVB2P8FAVJL&Z208W=116AEU0Z&XC8C
=3I1MPP6A2K42K&BO77Z=67QUD1YRE9QF11FV&04T9Z=4942YY7N&KMLD=HUKYAXRX7AUD5R4UK&"

These pages will continue with a redirect, embedded in an iframe HTML tag, to for example hxxp://cgredret.ru/main.php.

MX Lab recommend not to follow any of the embedded URLs.

The email is send from the spoofed address “Account Support” and has the following body:

An Account Activity Notification you created has detected that the
following transaction has posted as of 12/19/11. The detail information
associated with the transaction is as follows:

Account: XXXXXX5693

Transaction Description: Incoming Wire Transfer
Amount: $087,390.45
Type: Credit
Reference Info: 1453328649OS
Availability: Immediate

PLEASE REFER TO ATTACHED FORM FOR MORE DETAILS

CONFIDENTIALITY NOTICE: This electronic mail transmission may contain
legally privileged, confidential information belonging to the sender. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or taking any action based on the
contents of this electronic mail is strictly prohibited. If you have
received this electronic mail in error, please contact sender and delete
all copies.

The attached ZIP file has the name Account_Update_Notification_12192011-71714.zip and contains the 210 kB large file Account_Update_Notification_12192011.exe. The filenames will vary with each email.

The trojan is known as Trojan.Win32.Heur.Gen (ByteHero) or PWS-Zbot.gen.ma (McAfee).

At the time of writing, only 2 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09707085eb9812202ba72a1c6f6c5f4a.

Subjects will vary, the email is send from different spoofed addresses and here we have some samples:

Goeie morgen,

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.quattro-stagioni.it/docdown/Factuur.zip?idinvoice=1615847338768Firma=ontario583@csk-rijssen.nl

We zijn blij om samen te werken in de toekomst.

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.sanseverocommunity.com/docdown/Factuur.zip?idinvoice=27043890762Firma=info@bloemex.nl

The trojan is known as Artemis!6287782884ED (McAfee), Downloader.Dromedan (Symantec), Trojan.Win32.Yakes (Ikarus), Trojan.Generic.7001815 (BitDefender).

At the time of writing, 37 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 6287782884edba7ca26df03942798739.

The email is send from the spoofed address “Federal Deposit Insurance Company”and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
� 3501 Fairfax Drive
� Arlington VA 22226
� 877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-07193.zip and contains the 205 kB large file FDIC – Important Information About your business account.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), Trojan.Zbot (Symantec), Win32.Outbreak!IK (Emsisoft).

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: c1e121392a4ee3a1822e944367bcd3e6.

MX Lab, http://www.mxlab.eu, intercepted some emails with the subject “How To Beat The S&P500 By 5,420 pc Or MORE?, Wed, 7 Dec 2011 15:26:29 +0100, MAAIGNCPV5″.

The subjects looks very familiar and could be compared to the latest trojan distribution campaigns that we have seen with the account information from Verizon Wireless or the Adobe Critical Upgrade notification. The subjects comes along with a date stamp and a randomly generated letter and number combination.

The email is send from the spoofed addresses, in our case from the domain vzw.com and has the following body:

Hello Dear!

As you probably know, there are over 7,000 stocks to choose from on just the U.S. exchanges alone…
But what you might NOT know is that about 97% of these stocks are PURE POISON for your portfolio, meaning that the odds are stacked AGAINST you before you even place a trade. Recently, one of the most respected trading experts in our community discovered a way to automatically FILTER OUT the ‘poison’ stocks and leave you with:
* The Top 3% that offer the most profit potential every time you trade.

Feel free refer to attach for more detailed information!

Thanks a lot!

The attached ZIP file has the name 97_percents_poison_stocks_overview_report-19560.zip and contains the 200 kB large file 97_percents_poison_stocks_overview_report.exe.

The trojan is known as TR/Spy.ZBot.oke (AntiVir), Trojan.Generic.KDV.461730 (BitDefender), Trojan-Spy.Agent!IK (Emsisoft), Trojan-Spy.Win32.Zbot.crnn (Kaspersky), PWS-Zbot.gen.hb (McAfee), Trojan.Zbot (Symantec).

At the time of writing, 17 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 67a24430319bb92f3113d752c84d4a87.