New Bredolab trojan in the wild

August 13, 2010 by mxlab 5 Comments

MX Lab intercepted a new Bredolab trojan attached to emails with changing subjects and body content.

The following email subjects are being used:

Beauty and the Geek 2
First Birthday Invitation
fill this Passport form
In USA on August 15 and 16
Resume & Coverletter – Feedback
Status
Your reservation is confirmed – Ref: 12801/267373

The email body also changes with every new email version. Here are some examples:

Hi Joe,

I will be in USA on August 15, 16 and 17. I have a job interview on August 15 and available on August 16. I wonder if you and your partners will be available to catch up on any job prospect at your company.

I have attached my resume again with few changes.

Please let me know your availability. Thank you.

Best Regards,
Salvatore

Hello,

Thank you for making a booking through Allhotels

This voucher confirms that you have paid $ 1,100.00 as a deposit for the cost of the rooms and services detailed below. The guest must present this voucher, along with photo identification matching the guest name on this voucher, to the hotel on check-in.

The hotel will also ask for a valid credit card on check-in. This is to cover incidental expenses like meals, drinks, laundry, etc. Guests are responsible for payment of all extra charges direct to the hotel.

Please find the details in the attachment.

Hello All,

Please treat this as my personal invitation , Grace the occasion with your presence and bless my elder brother’s daughter on her first birthday.

Date: Sunday, August 15

Please find the venue details in the attachment.

Thanks,
Jordan Fish

Along with the subject and body content changes, the attached ZIP file also has different file names:

Resume.zip
invitation.zip

The attached ZIP archive is around  120 kB large, once extracted an .exe file is unpacked with the same name as the ZIP archive.

The trojan is known as Gen:Variant.Bredo.6 (Bitdefender), W32/Zbot.AN.test!Eldorado (F-Prot), W32/Trojan3.BXW (Authentium).

The following files will be created:

%Windir%\host32.exe
%Windir%\jh87uhnoe3\ewf32.nls
%Windir%\jh87uhnoe3\ewfrvbb.nls

The following directory will be created:

%Windir%\jh87uhnoe3

Several Windows registry modification are executed to the infected system.

At the time of writing, only 6 of the 42 AV engines at Virus Total did detect the treath. Virus Total permlink and MD5: 4150a1deee2bb6852095627df34defb3.

Filed under Viruses Tagged with , , ,

New Bredolab trojan variant present in emails from Apple Store Fifth Avenue, NYCEDC Employment Application and more

August 7, 2010 by mxlab 1 Comment

MX Lab intercepts new Bredolab trojan variants in several email formats ranging from a receipt of the Apple Store on Fifth Avenue to the NYCEDC Employment Application and even more.

Please note that the from address is spoofed in all cases, the subject, the body of the email and filename my change. We also do not list every new email format where this trojan is present in so it is possible that new email formats emerge as you read this.

Your receipt from Apple Store, Fifth Avenue

The first example contains the subject “Your receipt from Apple Store, Fifth Avenue”, is from a spoofed address and has the following very short email body:

Thank you for shopping at the Apple Store.

The email has the attachment emailreceipt_20100116R0951092283.zip.

NYCEDC Employment Application

This email has the subject “NYCEDC Employment Application” and has the following email body:

Hello,

It was nice talking with you yesterday. Attached is the NYCEDC Employment Application. It’s an interactive PDF form so you should be able to type directly into it. If you could bring a completed copy with you to the interview, that would be great.  Please let me know if you have any questions.

Best,
Best,
Courtney Sewell

The email has the attachment file_13671.zip.

Final_moments_of_Air_France

This  email has the subject “Final_moments_of_Air_France” and has the following email body:

HI

Please have a look at these photos from Air france crash.

Avnish

34962879433

Antony

The email has the attachment Final_moments_of_Air_France_-_Incredible_Photos.zip.

0462

This email has the subject “0462″ and the following body of the email:

Hi

I hope that this message finds you well. What do you think of the attached role?

Thanks!

Chadwick

The email has the attachment Code 9664 – for email.zip.

Your Quote from AA Getaway Coaches

This email has the subject “Your Quote from AA Getaway Coaches” and has the following body:

Hello
Thank you for choosing AA Getaway Coaches. Your Quote is attached. If you decide to travel with us, please sign and fax back to our offices the Reservation Request Form as soon as possible to reserve your vehicles.
Thank You,
Jane Burkett

Pay Online with PayPal. Fax your signed Reservation Request From back to our offices at 718.982.5274, we will reserve your vehicles and send you an email containing instructions to make your payment online using PayPal – safely and securely.

The attached documents are in PDF format and require a compatible PDF viewer such as Adobe Reader.

The email has the attachment reservationRequestForm0000043643.zip.

Proposal

This email has the subject “Proposal” and the following body:

Hi ,

It was a pleasure to meet you last night, and thank you ! As per our conversation, please find attached a preliminary proposal, including various prix fixe menus and a credit card authorization form. Also attached is our current wine list, in case you would like to pre-select any wine for this event. Please let me know if you have any questions, as it would be my pleasure to assist you.

Thanks and best,
Cynthia

Shauna Fritz
Event Coordinator
Benjamin Steakhouse
52 E 41st Street
New York, NY 10017
T: 212-297-9177
F: 212-297-9146
innkeeperxr29@rapit.com

This email has the attachment CURRENT_WINE_LIST_04-02-10(c)_(2)1.zip.

Resume

This email has the subject “Resume” and the following body:

I cleaned up the formatting of the resume and will review the content at some point today.  Save this as your latest version and I’ll talk to you later.

:)

Thanks

This email has the attachment  Marcelino Estrada Resume.zip.

acceptance letter & benefit summary

This email has the subject “acceptance letter & benefit summary” and the following body:

Hi

As discussed, attached is a copy of your acceptance letter and a copy of the ASPCA benefit summary for review. We will have the original acceptance letter here for you in the morning. Please ask for me at the front  reception desk at around 9:15 a.m.

We are so excited to have you joining the HR team and the ‘A’

See you tomorrow!

This email has the attachment Summary of Benefits – New York.zip.

Analysis of the treath:

The trojan is known as W32/Bredolab.GE (Authentium), Trojan.Bredolab-987 (Clam AV),  W32/Bredolab.B!genr (Norman), Troj/Bredo-DV (Sophos).

The trojan will create the following files:

%AppData%\16887.exe
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following processes are created:

Process Name: 16887.exe
Process Filename: %AppData%\16887.exe

Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe

Several Windows registry modifications will be performed on the system and the trojan can establish a connection to the IPs 194.28.112.3 and 77.78.249.2 on port 80.

The trojan will download data from the remote web host at hxxp://77.78.249.2/cb_soft.php?q=7a76b969b50d772dfcffc81e3205c1d9

Virus Total permlink and MD5: e59e39cff3bc611d3bd50287c94deb66.

Filed under Viruses Tagged with , , ,

Messages with the YouSendIt Reader contains the Bredolab trojan

August 5, 2010 by mxlab 2 Comments

After our first report earlier today of the YouSendIt abuse that leads to a malicious payload and spam web site, MX Lab now intercepted messages with the subject “You have received a file from fudgeupte7@randoripartners.com via YouSendIt.” and the attachment YouSendIt_reader.zip.

The email address is spoofed and the email address in the subject line will change according to the from address.

The body of the email:

Maryellen Meier has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy

1919 S. Bascom Ave., Campbell, CA 95008

The message has the attachment YouSendIt_reader.zip. Once extracted, the 20 kB large file YouSendIt_reader.exe is available.

The trojan is known as Gen:Variant.Bredo.2 (BitDefender, F-Secure, GData), TrojanDownloader:Win32/Waledac.C (Microsoft).

The following files are created:

%AppData%\1410506.exe
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

New processes are created:

Process Name: 1410506.exe
Process Filename: %AppData%\1410506.exe

Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe

Process Name: 1410506.exe
Process Filename: %UserProfile%\LOCALS~1\APPLIC~1\1410506.exe

Several Windows registry modificatiosn are being made to the infected system and the trojan can establish an connection to the IPs 77.78.249.2 and 85.234.191.111 on port 80.

The trojan will also connect to the URL hxxp://77.78.249.2/cb_soft.php?q=a4867e4e00d394bf25ae3835341f22e3

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the treath.Virus Total permlink and MD5: 79be5ebc9659f2c4e2e85cdd3464720d.

Filed under Viruses Tagged with , , ,

New Bredolab variants in the wild

August 2, 2010 by mxlab Leave a Comment

MX Lab intercepted some new Bredobal variants in different messages.

“Report” emails

The first messages is with the subject “report” send from a spoofed email address. The body of the email is very short:

see my report in attach

The email contains the file report.zip which is a ZIP archive with the 16 kB large file report.exe.

The trojan is known as W32/Bredolab.FZ (Authentium), Email-Worm:W32/Waledac.HZ (F-Secure), W32/Bredolab.B!genr (Norman).

At the time of writing, only 9 of the 41 AV engines at Virus Total detect the trojan. Virus Total permlink and MD5: 98f75f039cf618a72ec5074481c0a9a2.

“Review your annual Social Security statement” emails

The messages has the subject “Review your annual Social Security statement” and also comes from spoofed email addresses.

The body of the email:

Due to possible calculation errors, your annual Social Security statement may contain errors.

Open attached file to review your annual Social Security statement.

The email contains the file statement.zip which is a ZIP archive with the 16 kB large file statement.exe.

The trojan is known as W32/Bredolab.FX (Authentium), Gen:Trojan.Heur.FU.amW@aWPlGEii (F-Secure), W32/Bredolab.B!genr (Norman), Trojan.Win32.FakeAV (Ikarus), Sophos (Mal/FakeAV-EE).

At the time of writing, only 15 of the 41 AV engines at Virus Total detect the trojan. Virus Total permlink and MD5: 5b2ad2b93e88b4743221e28ead12475d.

Filed under Viruses Tagged with , , ,

New trojan variant in mails with “Look my CV. Thank you!”

June 14, 2010 by mxlab 10 Comments

MX Lab intercepts a new trojan variant in emails with the subject “Look my CV. Thank you! MyID NR4557547.”.

Possible subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

The number at the end of the subject is choosen randomly and the from email address is spoofed.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.

The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).

The following files are created:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

The following modules are loaded into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the following IPs on port 80:

195.78.109.6
212.78.71.81
95.211.98.246

Data is downloaded from the following hosts:

  • hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
  • hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
  • hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.

The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot),  Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

The following files are created:

%Windir%\dsmd32.dll

The following modules are loaded into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the IP 95.211.98.246 on port 80.

13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.

Filed under Viruses Tagged with , , , ,

Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan

May 26, 2010 by mxlab 1 Comment

A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or  ”Delivery Problem NR2204780″ has made that MX Lab noted the highest virus detection rate since months.

The possible subjects are (numbers are random):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

The following modules will be loaded into the address space of other process(es):

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

The trojan can establish a remote connection with the following hosts on port 80:

85.87.17.230
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.

Filed under Viruses Tagged with , , , , , , , ,

New malspam regarding your Amazon order: Your order has been paid! Parcel NR:58588-691

May 17, 2010 by mxlab 2 Comments

MX Lab detected a new malware spam outbreak with the subject “Your order has been paid! Parcel NR:58588-691″regarding a payment towards Amazon. The malware is sent from a spoofed email address in the form of Amazon Manager Vaughn Montes <refrigeratorser22@rokulabs.com>.

The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).

The body of the email:

Dear Sirs,

Thank you for shopping at Amazon.com!

We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Sony Bravia S1452 ”

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Vaughn Montes, Amazon

The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.

The following files are created:

C:\Documents and Settings\User\Local Settings\Temp\1.tmp
C:\WINDOWS\system32\thxr.wgo

An HTTP request will be done to:

hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=2
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=3

At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.

Filed under Viruses Tagged with , , , ,

“Thank you for buying iTunes Gift Certificate!” email contains trojan

May 7, 2010 by mxlab 33 Comments

[UPDATE] A new article regarding a new trojan variant has been posted on the MX Lab blog on 26 May 2010: New trojan variant in “Thank you for buying iTunes Gift Certificate!” email. Read article here.

MX Lab started to intercept emails with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).

It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.

This distribution is sent from the spoofed email address iTunes Products <customer.service@itunes.com>.

The body of the email:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains the file ZIP archive iTunes_certificate_247.zip containing the 52 kB large executable iTunes_certificate_247.exe.

The following files are created:

%Temp%\1.tmp
%System%\pgsb.lto

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from:

* hxxp://davidopolko.ru/migel/bb.php?v=200&id=743908139&b=6may&tm=2

At the time of writing, 15 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 0e50c0085bc6d75226a5c06ac1637df1

MX Lab customers are protected against this email based threat.

Filed under Viruses Tagged with , , , , , , ,

Email regarding Conflicker.B Infection Alert contains a trojan

February 17, 2010 by mxlab 1 Comment

MX Lab started to intercept emails with the subject “Conflicker.B Infection Alert”. The trojan is names Win32:Bredolab-CC (Avast), Generic Dropper.lr (McAfee) or Trojan.Win32.Bredolab.Gen.2 (Sunbelt).

The from address is spoofed and can contain “Microsoft Team”. The emails is signed by “Microsoft Windows Computer Safety Division” to make it appears that it is from Microsoft itself.

The email has the attachment open.zip and inside the ZIP archive the executable open.exe (16 kB).

As you can read, the email contains instructions to use the attached file to scan your network after an detected virus infection by the Conflicker worm.

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

At the time of writing, 21 of the 40 AV engines at Virus Total did detect the threat correctly. Our recommendation is that you never following instructions, send by email, like this one. Microsoft, or any other company, will spread security tools by email.

This trojan is a serious security risk because it will display fake alerts regarding a virus infection in order to lead you to buy rogue anti virus/anti spyware products. The trojan also has the capabilities to send out emails with a build-in SMTP engine.

A new windows will be created after executing the file open.exe:

The following files are created:

%CommonAppData%\28701826\28701826.exe
%DesktopDir%\Security Tool.lnk
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following directory is created:

%CommonAppData%\28701826

New processes are created:

_ex-08.exe in %Windir%\temp\_ex-08.exe
28701826.exe in C:\DOCUME~1\ALLUSE~1\APPLIC~1\28701826\28701826.exe

The Windows registry will be modified and the malware can open the TCP ports 1066 and 1067 ports on an infected system.

Connection to remote hosts (port 80):

221.150.130.37
94.102.50.131
95.143.192.40

Remote downloands:

* hxxp://221.150.130.37/qmbzxqbitqs.htm
* hxxp://221.150.130.37/gyxk.htm
* hxxp://221.150.130.37/xwxwkg.htm
* hxxp://94.102.50.131/in.php?affid=43400&url=5&win=Windows%20XP+2.0&sts=
* hxxp://95.143.192.40/pr/pic/sys.exe

Virus Total permlink and MD5: 76cf8a523c11f4d2ab86a7b99c89c9e0.

Filed under Viruses Tagged with , , ,

“updated account agreement” email contains Bredolab trojan

February 10, 2010 by mxlab Leave a Comment

MX Lab started to intercept emails with the subject “updated account agreement” that contains the Bredolab trojan. The campaign is designed for Facebook users because of the content. The email comes from the spoofed email address and contains “Facebook Team”.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

Filed under Viruses Tagged with , , , ,

Older posts