New year gift from Amazon sent by a friend contains malware

January 19, 2012 Leave a Comment

MX Lab, http://www.mxlab.eu, intercept a few samples of a new trojan found in emails with the subject  ”A friend just sent you a new year gift from amazon” sent from the spoofed address “amazon seller <customer_amzon.com@correo.rgm.com.co>”.

The email has the following body:

Good day,
We are to inform you that someone just sent you a gift from amazon.com,
below is the recipt kindly open and track the order. Wishing you a lovely year ahead.
Best regards,
Amazon.com

The malware  is approx. 221 kB large and listens to the name file4402_fdp.exe.

The trojan is known as Win32:Malware-gen (Avast), Trojan.Win32.VBKrypt.imoz (Kaspersky), Artemis!798A4ABB09D7 (McAfee), Mal/Generic-L (Sophos).

At the time of writing, 24 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 40bbaa3e93e50dbdc2b615ae383c3c36c0ab358c311a39efaf6c1246b71ef903.

Filed under Malware, Viruses Tagged with , , ,

Amazon orders and email confirmation leads to PDF malware

July 23, 2010 Leave a Comment

Since last week, MX Lab intercepts emails with requests to confirm your email address or orders processed by Amazon. This campaign has been received in quite large quantities and we have been investigating what they are about.

At first we thought they where phishing emails but so far we haven’t been able to establish connection with the sites that are mentioned in the URLs included in the message.

This is the latest screenshot of an email requesting confirmation of the email. The lay out is very well done as you can see. The Amazon images are embedded in the message through an image tag and they come directly from servers from Amazon.

But, the links in the email as obfuscated and point to web sites like:

hxxp://busnwsonline.com/index.php?pid=14

Which redirects in this case to:

hxxp://lunchstroke.ru:8080/index.php?pid=14

Following the URL will lead you to short-lived web sites hosting malicious PDF files. The PDF file appears to be offered in an HTML iframe tag so that it can be launched with no interference.

Filed under Malware, Viruses Tagged with , ,

New malspam regarding your Amazon order: Your order has been paid! Parcel NR:58588-691

May 17, 2010 2 Comments

MX Lab detected a new malware spam outbreak with the subject “Your order has been paid! Parcel NR:58588-691″regarding a payment towards Amazon. The malware is sent from a spoofed email address in the form of Amazon Manager Vaughn Montes <refrigeratorser22@rokulabs.com>.

The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).

The body of the email:

Dear Sirs,

Thank you for shopping at Amazon.com!

We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Sony Bravia S1452 ”

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Vaughn Montes, Amazon

The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.

The following files are created:

C:\Documents and Settings\User\Local Settings\Temp\1.tmp
C:\WINDOWS\system32\thxr.wgo

An HTTP request will be done to:

hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=2
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=3

At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.

Filed under Viruses Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers