mxlab - all about anti virus and anti spam » Search Results » UPS+Tracking

“United Parcel Service notification 48161” from UPS contains trojan

mxlab — Sun, 27 Mar 2011 19:39:01 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may vary, with more or less the same email characteristics of the previous campaign MX Lab posted earlier this week but with with a very low detection rate at the time of writing: only 5 of the 43 AV engines did detect the trojan at Virus Total!

The email is send from the spoofed addresses “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infoads@ups.com
infoad111@ups.com
infoad@ups.com
infosec@ups.com
infosec1@ups.com
infosec3@ups.com
infosec4@ups.com
infoser@ups.com
infoser1@ups.com
infoser2@ups.com
infoser3@ups.com
infoser4@ups.com
infosec8@ups.com
…

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attached ZIP file has the name UPS-document.zip and contains the 20 kB large file UPS-document.exe.

The trojan is known as Artemis!08BA3C182674 (MacAfee), Trj/CI.A (Panda).

Virus Total permalink and MD5: 08ba3c182674398cd2190cad5dc327ef.

The trojan will install itself on an infected computer and will obtain data from the following URLs:

http://109.94.220.52/lol2.exe
http://109.94.220.52/pod.exe
http://109.94.220.52/spm.exe
http://91.213.29.175/lol2.exe
http://91.213.29.175/pod.exe
http://91.213.29.175/spm.exe

For each of the files we have the following report:

lol2.exe:

FakeAlert-CN.gen.h (MacAfee), FraudTool.Win32.FakeRean.b (Vipree)
Virus Total permalink – MD5: 43b84209a37ebdee99996b073562203e

Will install the file %AppData%\pux.exe, modify registry, connects to IP 69.50.209.138 on port 80 and will request URL hxxp://vogunemymyko.com/1017000412

pod.exe:

Worm/Rorpian.A (AntiVir), W32/Worm-FAO!1B984534DCC8 (McAfee)
Virus Total permalink – MD5: 1b984534dcc8d761703437f10a9cf179

Will install the file %Temp%\srvB8.tmp, connects to IP 188.138.48.178 on port 80 and will request URL hxxp://188.138.48.178/service/listener.php?affid=50039

spm.exe:

Artemis!CCB935935C60 (MacAfee), W32/Spammer.AQZ.worm (Panda)
Virus Total permalink – MD5: ccb935935c60b7c931201daa9efd6af4

Will install the files %System%\mhmhbrog.dll and %System%\tmp.tmp, modify the registry, and make connections to the following IPs:

124.108.116.109, on port 25
67.195.168.31, on port 25
98.137.54.237, on port 25
98.139.54.60, on port 25
46.4.10.7, on port 8000 and 8001

This malware will also generate SMTP traffic from the spoofed email addresses:

This malicious payload will create the following files:

%CommonAppData%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Temp%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Templates%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\Microsoft\conhost.exe
%AppData%\xbr.exe
%Temp%\srvC8.tmp
%System%\mtcaqnbx.dll
%System%\musawolc.dll

The following processes will be created:

conhost.exe: %AppData%\Microsoft\conhost.exe
xbr.exe: %AppData%\xbr.exe

The following hostnames are requested from the host database:

ponel.biz
itisformebaby.biz
zuzosahule.com
dafatesomyz.com
jumonevetode.com
gokuzajylot.com
lukofymela.com
jebuponip.com
quxovasuced.com
laqoduhisegu.com
xyseditacif.com
dihemehypuq.com
wylyxaqunowy.com
qepovexidysopy.com
bebecebyt.com
rumesexyzobuz.com
kyxiteruk.com
kexigulat.com
jarynokab.com
lefurasacaveta.com
cicabijyni.com
ridibasofetevi.com
sihorarofiqiha.com
ropunonic.com
xyxukinasacujo.com
tapahagupaji.com
zonotunev.com
raxukakudumow.com
vogunemymyko.com
zufonabubi.com
bynoripuqoxyl.com
kytelaticik.com
qyvexyhun.com
myhofociv.com
dalebihyku.com
kijyjajutava.com
decufysohyh.com
sezixalekur.com
lolypositole.com
hohimedag.com
hikiniribep.com
fyxinolydima.com
gonifyzadiby.com
wavupinycom.com
xykecolun.com
hisepelihyzex.com
xixeriwihat.com
vetidicawisos.com
dijipabamefuw.com
naxucerybaqecy.com
hegylocimemyja.com
roboralipijago.com
samykacagatet.com
fusipemura.com
sazulipum.com
fuxawekugygil.com

A connection attempt to itisformebaby.biz on port 8000 is executed and a connection is established to the IP 188.138.48.178 on port 80 with the request service/listener.php?affid=50039.

The following HTTP URLs were started reading:

hxxp://vogunemymyko.com/1017000412
hxxp://zufonabubi.com/1017000412
hxxp://bynoripuqoxyl.com/1017000412
hxxp://kytelaticik.com/1017000412
hxxp://qyvexyhun.com/1017000412
hxxp://myhofociv.com/1017000412
hxxp://dalebihyku.com/1017000412
hxxp://kijyjajutava.com/1017000412
hxxp://decufysohyh.com/1017000412
hxxp://sezixalekur.com/1017000412
hxxp://lolypositole.com/1017000412
hxxp://hohimedag.com/1017000412
hxxp://hikiniribep.com/1017000412
hxxp://fyxinolydima.com/1017000412
hxxp://gonifyzadiby.com/1017000412
hxxp://wavupinycom.com/1017000412
hxxp://xykecolun.com/1017000412
hxxp://hisepelihyzex.com/1017000412
hxxp://xixeriwihat.com/1017000412
hxxp://vetidicawisos.com/1017000412
hxxp://dijipabamefuw.com/1017000412
hxxp://naxucerybaqecy.com/1017000412
hxxp://hegylocimemyja.com/1017000412
hxxp://roboralipijago.com/1017000412
hxxp://samykacagatet.com/1017000412
hxxp://fusipemura.com/1017000412
hxxp://sazulipum.com/1017000412
hxxp://fuxawekugygil.com/1017000412

“United Parcel Service notification” from UPS contains trojan

mxlab — Wed, 23 Mar 2011 16:38:28 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “United Parcel Service notification

The email is send from the spoofed address “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infojs@
joiner2@
joiner22@
joisupport@ups.com
supportadm@ups.com
….

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attachedZIP file has the name UPSnotice.rar and contains the 16 kB large file UPS notify.exe.

The trojan is known as BDS/Hostil.F.9 (Antivir), TrojanDownloader:Win32/Chepvil.I (Microsoft), Mal/Bredo-K (Sophos), Backdoor.Cycbot (Symantec).

The following files will be created:

%Temp%\lol2.exe

The trojan can establish connection with the IP 193.105.121.33 on port 80 and data will be obtained from following URL hxxp://193.105.121.33/lol2.exe.

At the time of writing, only 20 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: cc040e69121bc19f23ef4a32dbb8a80e.

New Bredolab trojan variants in DHL and UPS tracking emails

mxlab — Tue, 19 Jan 2010 20:49:51 +0000

MX Lab intercepted several email messages with new Bredolab trojan variants in the traditional style: emails regarding the tracking of a parcel. We noticed new campaigns using the DHL and UPS tracking style. We will cover them both in this article at the same time.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

New ZBot trojan detected in UPS tracking emails

mxlab — Wed, 27 May 2009 22:40:56 +0000

Email messages coming from UPS with the subject “Postal Tracking #FDD4Q22514LDU4N” and the attached file UPS_DOC_986001.zip are part of a new malware distribution by email. MX Lab intercepted the first samples of a new variant that is only detected by 5 of the 40 AV engines of Virus Total.

The body of the email:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The trojan will create the following files:

%AppData%\wiaserva.log
%Temp%\WER699f.dir00\appcompat.txt
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp
%Temp%\WER699f.dir00\manifest.txt
%System%\wbem\grpconv.exe

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total link and MD5: de90a24f3dfb5c1c8d4a0a3104f3dd4a.

New UPS trojan detected: TrojanSpy.ZBot.DGI

mxlab — Mon, 02 Mar 2009 23:45:22 +0000

Posting updated on 10 March 2009. Read the new information at the end of this posting.

MX Lab intercepted a few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service ”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.

New UPS trojan variant: Delivery problems

mxlab — Sun, 11 Jan 2009 14:02:54 +0000

A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service .

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll
%System%\twex.exe

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

UPS Postal Service trojan still active

mxlab — Tue, 25 Nov 2008 16:30:29 +0000

In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.

The emails hasn’t changed much, the subject is “Your Tracking # 877874077711″ (where the number is dyanimc and changes often) and the content of the body:

Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS

The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.

VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.

FedEx Tracking number trojan

mxlab — Sat, 09 Aug 2008 16:48:25 +0000

MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.

The content of the email has the same characteristics as the UPS trojan:

Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your FedEx

The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.

Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.

UPS Tracking number trojan – another variant and Hallmark e-card

mxlab — Wed, 23 Jul 2008 18:59:56 +0000

There is a new variant of the UPS Tracking number trojan on route. The subject is now “[RE] UPS Tracking Number 7056968807″ but the contents remains the same. The URL that is used by the trojan is slightly different, the host remails the same, the folder structure and the .bin file on the site is different: http://***********.ru/offshore/denis.bin. The number in the subject and file can be random.

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

UPS Tracking number trojan – new variant

mxlab — Mon, 21 Jul 2008 23:05:55 +0000

Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus Version Last Update Result

AhnLab-V3 2008.7.21.1 2008.07.21 -

AntiVir 7.8.1.11 2008.07.21 -

Authentium 5.1.0.4 2008.07.21 -

Avast 4.8.1195.0 2008.07.21 -

AVG 8.0.0.130 2008.07.21 -

BitDefender 7.2 2008.07.21 -

CAT-QuickHeal 9.50 2008.07.21 -

ClamAV 0.93.1 2008.07.21 -

DrWeb 4.44.0.09170 2008.07.21 -

eSafe 7.0.17.0 2008.07.21 Suspicious File

eTrust-Vet 31.6.5971 2008.07.21 -

Ewido 4.0 2008.07.21 -

F-Prot 4.4.4.56 2008.07.21 -

F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini

Fortinet 3.14.0.0 2008.07.21 -

GData 2.0.7306.1023 2008.07.21 -

Ikarus T3.1.1.34.0 2008.07.21 -

Kaspersky 7.0.0.125 2008.07.21 -

McAfee 5343 2008.07.21 -

Microsoft 1.3704 2008.07.22 -

NOD32v2 3284 2008.07.21 -

Norman 5.80.02 2008.07.21 -

Panda 9.0.0.4 2008.07.21 -

PCTools 4.4.2.0 2008.07.21 -

Prevx1 V2 2008.07.22 -

Rising 20.54.02.00 2008.07.21 -

Sophos 4.31.0 2008.07.21 -

Sunbelt 3.1.1536.1 2008.07.18 -

Symantec 10 2008.07.21 -

TheHacker 6.2.96.385 2008.07.20 -

TrendMicro 8.700.0.1004 2008.07.21 -

VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2

VirusBuster 4.5.11.0 2008.07.21 -

Webwasher-Gateway 6.6.2 2008.07.21 -

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.21.1	2008.07.21	-
AntiVir	7.8.1.11	2008.07.21	-
Authentium	5.1.0.4	2008.07.21	-
Avast	4.8.1195.0	2008.07.21	-
AVG	8.0.0.130	2008.07.21	-
BitDefender	7.2	2008.07.21	-
CAT-QuickHeal	9.50	2008.07.21	-
ClamAV	0.93.1	2008.07.21	-
DrWeb	4.44.0.09170	2008.07.21	-
eSafe	7.0.17.0	2008.07.21	Suspicious File
eTrust-Vet	31.6.5971	2008.07.21	-
Ewido	4.0	2008.07.21	-
F-Prot	4.4.4.56	2008.07.21	-
F-Secure	7.60.13501.0	2008.07.21	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.07.21	-
GData	2.0.7306.1023	2008.07.21	-
Ikarus	T3.1.1.34.0	2008.07.21	-
Kaspersky	7.0.0.125	2008.07.21	-
McAfee	5343	2008.07.21	-
Microsoft	1.3704	2008.07.22	-
NOD32v2	3284	2008.07.21	-
Norman	5.80.02	2008.07.21	-
Panda	9.0.0.4	2008.07.21	-
PCTools	4.4.2.0	2008.07.21	-
Prevx1	V2	2008.07.22	-
Rising	20.54.02.00	2008.07.21	-
Sophos	4.31.0	2008.07.21	-
Sunbelt	3.1.1536.1	2008.07.18	-
Symantec	10	2008.07.21	-
TheHacker	6.2.96.385	2008.07.20	-
TrendMicro	8.700.0.1004	2008.07.21	-
VBA32	3.12.8.1	2008.07.21	suspected of Malware-Cryptor.Win32.General.2
VirusBuster	4.5.11.0	2008.07.21	-
Webwasher-Gateway	6.6.2	2008.07.21	-

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/