New trojan variant with Adobe Software Critical Upgrade Notification emails

December 6, 2011 2 Comments


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects similar to:

Adobe Software Critical Upgrade Notification ID: M29MGJW7CN3
Adobe Systems Software Critical Upgrade Notification ID: 6974438831048
Adobe Acrobat: Upgrade Needed, Tue, 6 Dec 2011 15:08:48 +0100

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>”  and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:

- Collaborate across borders
- Create rich, polished PDF files from any application that prints
- Ensure visual fidelity
- Encrypt and share PDF files more securely
- Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: C0RCKD-7363931

Adobe Systems Incorporated,
Tue, 6 Dec 2011 13:21:16 -0300

The attached ZIP file has the name AdobeSystems-Software_Critica Update_Dec_2011-ELA6L7G9D.zip and contains the 200 kB large file Adobe Systems Software Critical Update Dec 2011.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), PWS:Win32/Zbot.gen!Y (Microsoft), W32/Zbot.YFP (Norman).

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2cf8db09963b2077e42aeb1d644b160f.

Filed under Malware, Viruses Tagged with , , ,

Adobe Acrobat Reader update notification comes with malware

December 1, 2011 1 Comment


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Acrobat: Upgrade Needed”.

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>” and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader
Advanced features include:

- Collaborate across borders
- Create rich, polished PDF files from any application that prints
- Ensure visual fidelity
- Encrypt and share PDF files more securely
- Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: YPK7XJ-5955527

Adobe Systems Incorporated,
Wed, 30 Nov 2011 16:45:33 +0100

The attached ZIP file has the name Adobe-Software-Update-VUREU328263.zip and contains the 203 kB large file AdobeSoftwareUpdate-20111130.exe. Note that the filenames can be different.

The trojan is known as Trojan.Generic.KDV.442070 (BitDefender), W32/Zbot.DD.gen!Eldorado (F-Prot), PWS-Zbot.gen.oe (McAfee), Troj/Kirje-B (Sophos)

At the time of writing, only 22 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 22728244953af82281b37265060384c4.

Filed under Malware, Viruses Tagged with , , , ,

Email with Adobe license key attached contains a trojan

November 2, 2011 11 Comments


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your InDesign CS4 License key”.

The email is send from the spoofed address “Adobe <help-no.146@adobe.com>” and has the following body:

Hello,

Your Adobe CS4 License key is in attached document below.
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The attached ZIP file has the name License_key_N7853.zip and contains the 47 kB large file License_key.exe.

Please note that the from email address, the subject, content and name of the attached file can change accordingly.

The trojan is known as Troj/Bredo-LK (Sophos), W32/Yakes.F.gen!Eldorado (F-Prot), Downloader.Chepvil (Symantec).

At the time of writing, only 7 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09ecaf9fd2f4d7d42b0b4fde0f53b21e.

Filed under Malware, Viruses Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 165 other followers