Trojan attached in fake emails regarding license key from Adobe


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the following subjects:

Download your adobe software
Download your license key
Thank you for your order
Your order is processed

This email is send from the spoofed address “Adobe Software <soft@adobes.com>”, “Adobe Software <support@adobes.com>”, “Adobe <software@adobes.com>”, “Adobe Software <your_order@adobes.com>” or similar and has the following body:

Hello.

Thank you for buying Director 11.5 software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

Hello.

Thank you for buying Creative Suite 6 Master Collection software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

Order Notification.

Thank you for buying Adobe Connect software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

The attached ZIP file has the name License_Key_OR8957.zip and contains the 209 kB large file License_Key_Document_Adobe_Systems_Incorporated.exe.

The trojan is known as Win32:Malware-gen, W32/Trojan.BDDH-7155, W32/Trojan3.GVP, Trojan-Downloader.Win32.Dofoil.rqh or Artemis!30AAE526F5C4.

At the time of writing, 11 of the 45 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: a6cb6905775a7c4995222b3d91e7513a405d0cd183b7106dd713e720b2a4762a.

New trojan variant with Adobe Software Critical Upgrade Notification emails


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects similar to:

Adobe Software Critical Upgrade Notification ID: M29MGJW7CN3
Adobe Systems Software Critical Upgrade Notification ID: 6974438831048
Adobe Acrobat: Upgrade Needed, Tue, 6 Dec 2011 15:08:48 +0100

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>”  and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:

- Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: C0RCKD-7363931

Adobe Systems Incorporated,
Tue, 6 Dec 2011 13:21:16 -0300

The attached ZIP file has the name AdobeSystems-Software_Critica Update_Dec_2011-ELA6L7G9D.zip and contains the 200 kB large file Adobe Systems Software Critical Update Dec 2011.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), PWS:Win32/Zbot.gen!Y (Microsoft), W32/Zbot.YFP (Norman).

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2cf8db09963b2077e42aeb1d644b160f.

Adobe Acrobat Reader update notification comes with malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Acrobat: Upgrade Needed”.

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>” and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader
Advanced features include:

- Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: YPK7XJ-5955527

Adobe Systems Incorporated,
Wed, 30 Nov 2011 16:45:33 +0100

The attached ZIP file has the name Adobe-Software-Update-VUREU328263.zip and contains the 203 kB large file AdobeSoftwareUpdate-20111130.exe. Note that the filenames can be different.

The trojan is known as Trojan.Generic.KDV.442070 (BitDefender), W32/Zbot.DD.gen!Eldorado (F-Prot), PWS-Zbot.gen.oe (McAfee), Troj/Kirje-B (Sophos)

At the time of writing, only 22 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 22728244953af82281b37265060384c4.

Email with Adobe license key attached contains a trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your InDesign CS4 License key”.

The email is send from the spoofed address “Adobe <help-no.146@adobe.com>” and has the following body:

Hello,

Your Adobe CS4 License key is in attached document below.
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The attached ZIP file has the name License_key_N7853.zip and contains the 47 kB large file License_key.exe.

Please note that the from email address, the subject, content and name of the attached file can change accordingly.

The trojan is known as Troj/Bredo-LK (Sophos), W32/Yakes.F.gen!Eldorado (F-Prot), Downloader.Chepvil (Symantec).

At the time of writing, only 7 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09ecaf9fd2f4d7d42b0b4fde0f53b21e.

Follow

Get every new post delivered to your Inbox.

Join 320 other followers