MX Lab Black Friday Promotion: special price per user and 60 days extra

MX Lab Black Friday Promotion!

Make use of our special MX Lab Black Friday promotion and benefit of a low price per user and a 60 days extra free email security services added to your 12 month subscription which includes:

  • Zero hour anti virus to protect against the latest viruses and threats
  • Managed anti spam to get rid of the unwanted emails
  • And email archiving with a 60 day retention policy as a standard

More information can be obtained on our web site or contact us directly with your questions.

Request your free trial today!

Emal “Your document” contains trojan Trojan-Spy.Zbot

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “Your document”, send from spoofed addresses and has the following ver short body:

To view your document, please open attachment.

The attached ZIP file has the name and contains the 196 kB large file c3.exe.

The trojan is known as Trojan-Spy.Zbot, W32/Risk.QSAW-8224, Luhe.Fiha.A or PE:Malware.FakePDF@CV!1.9C3A.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: b7e768d540e63e06139dc2dd194dda47b3a2712cb27b1d173127a7801ac88e88

Resume emails with attached file Resume.html leads to rogue AV software

MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–
function xhtmldecode(x){
function runit(){

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%

When opening the attached HTML file you are directed to a web site witht he following code:

  <meta http-equiv="refresh" content="4;

<iframe src="hxxp://"
style="visibility: hidden;" height="1" width="1"></iframe>

After 4 seconds you will get redirected to hxxp:// On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Malicious emails lead to rogue AV software antivirus_24.exe

MX Lab intercepted emails that leads to the rogue anti virus software with the executable antivurs_24.exe. The senders make use of well known brand names like Macy’s, Costco Photo Center and perhaps also other brands as well.

The URLs inside the message lead to a web site that hosts a malicious script and will offer you the option to download antivirus_24.exe later on.

When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.

The web site has the following HTML code:

  <meta http-equiv="refresh" content="4;

<iframe src="hxxp://"
style="visibility: hidden;" height="1" width="1"></iframe>


We got the following screen below but I’m sure that on Windows it will be slightly different. Some Windows icons will be included of your hard drives and so on.

You will get to see some errors, your system is infected and the instructions lead you to download the malware. This part is obviously fake so please do not continue the process.

Virus Total permlink and MD5: 5be4b708a68687cb5490fe2caea49c82

MX Lab Summer Sales, only €8 per mailbox per year!

MX Lab is offering the Zero Hour Anti Virus and Managed Anti Spam for your mail server for € 8 per mailbox per year. For more information visit and contact us.

Rogue online anti virus scanner Antivirus Plus

Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp:// – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.


Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

Rogue anti virus program: Antivirus for Windows – New 2009 Version

MX Lab intercepted a message that caught our attention. Some time ago, a rogue anti virus/anti spyware program known as Antivirus 2009, XP Antivirus Protection, MSAntivirus 2008 and Vista Antivirus 2008 was promoted on the internet and in various spam emails.

It seems that this now is distributed under a new name “Antivirus for Windows – New 2009 Version”.

The email was sent from PC Protection <> and contains the subject “Update your Antivirus for Windows.

The email looks like a mailing and contains an Unsubscribe, Forward and Update Profile links. However, when looking at all the links in the message, some links are invalid like the Report Abuse link that contains an URL to – note the double point after ss25. The domains or are giving us an HTTP 404 error and contains no web site. It is very common to work from under a subdomain and pages under that domain without any root HTML pages.

The domain itself appears to be registered at Tucows with the following details:

 Quattro Web Solutions
 13 Hares avenue
 Cape Town,  7925


 Administrative Contact:
    Honig, Paul
    15 Wandel street
    Cape Town
    Cape Town,  7925
    +27.4480099    Fax: +27.214619277

 Technical Contact:
    Desk, Help
    322 South Marietta Street
    Gastonia, WI 28052
    +1.7048527000    Fax: +1.7048849011

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Oct-2008.
 Record expires on 28-Oct-2009.
 Record created on 28-Oct-2008.

 Registrar Domain Name Help Center:

 Domain servers in listed order:

 Domain status: clientTransferProhibited

When following the download links, a landing page is shown:

When filling in your email address and the activation code you are presented with a payment screen.

Recommendation: do not proceed with the payment process and do not download the program.


Get every new post delivered to your Inbox.

Join 1,561 other followers