Possible subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

The number at the end of the subject is choosen randomly and the from email address is spoofed.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.

The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).

The following files are created:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

The following modules are loaded into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the following IPs on port 80:

195.78.109.6
212.78.71.81
95.211.98.246

Data is downloaded from the following hosts:

• hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
• hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
• hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.

The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot),  Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

The following files are created:

%Windir%\dsmd32.dll

The following modules are loaded into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the IP 95.211.98.246 on port 80.

13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.

The possible subjects are (numbers are random):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

The following modules will be loaded into the address space of other process(es):

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

The trojan can establish a remote connection with the following hosts on port 80:

85.87.17.230
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.

The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).

The body of the email:

Dear Sirs,

Thank you for shopping at Amazon.com!

We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Sony Bravia S1452 ”

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Vaughn Montes, Amazon

The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.

The following files are created:

C:\Documents and Settings\User\Local Settings\Temp\1.tmp
C:\WINDOWS\system32\thxr.wgo

An HTTP request will be done to:

hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=2
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=3

At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.

MX Lab started to intercept emails with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).

It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.

This distribution is sent from the spoofed email address iTunes Products <customer.service@itunes.com>.

The body of the email:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains the file ZIP archive iTunes_certificate_247.zip containing the 52 kB large executable iTunes_certificate_247.exe.

The following files are created:

%Temp%\1.tmp
%System%\pgsb.lto

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from:

* hxxp://davidopolko.ru/migel/bb.php?v=200&id=743908139&b=6may&tm=2

At the time of writing, 15 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 0e50c0085bc6d75226a5c06ac1637df1

MX Lab customers are protected against this email based threat.

The from address is spoofed and can contain “Microsoft Team”. The emails is signed by “Microsoft Windows Computer Safety Division” to make it appears that it is from Microsoft itself.

The email has the attachment open.zip and inside the ZIP archive the executable open.exe (16 kB).

As you can read, the email contains instructions to use the attached file to scan your network after an detected virus infection by the Conflicker worm.

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

At the time of writing, 21 of the 40 AV engines at Virus Total did detect the threat correctly. Our recommendation is that you never following instructions, send by email, like this one. Microsoft, or any other company, will spread security tools by email.

This trojan is a serious security risk because it will display fake alerts regarding a virus infection in order to lead you to buy rogue anti virus/anti spyware products. The trojan also has the capabilities to send out emails with a build-in SMTP engine.

A new windows will be created after executing the file open.exe:

The following files are created:

%CommonAppData%\28701826\28701826.exe
%DesktopDir%\Security Tool.lnk
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe

The following directory is created:

%CommonAppData%\28701826

New processes are created:

_ex-08.exe in %Windir%\temp\_ex-08.exe
28701826.exe in C:\DOCUME~1\ALLUSE~1\APPLIC~1\28701826\28701826.exe

The Windows registry will be modified and the malware can open the TCP ports 1066 and 1067 ports on an infected system.

Connection to remote hosts (port 80):

221.150.130.37
94.102.50.131
95.143.192.40

Remote downloands:

* hxxp://221.150.130.37/qmbzxqbitqs.htm
* hxxp://221.150.130.37/gyxk.htm
* hxxp://221.150.130.37/xwxwkg.htm
* hxxp://94.102.50.131/in.php?affid=43400&url=5&win=Windows%20XP+2.0&sts=
* hxxp://95.143.192.40/pr/pic/sys.exe

Virus Total permlink and MD5: 76cf8a523c11f4d2ab86a7b99c89c9e0.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

Do you like to find a girlfriend like me ?

One campaign has the subject “Do you like to find a girlfriend like me ?” and targets female singles in a certain way:

Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.

The email includes a ZIP archive named myphotos.zip which indicated that you will see some pictures. Instead the archive includes the file myphoto.exe which is the Bredolab trojan.

Virus Total permlink and MD5: 63936bfd3c1207ef3d2cce7b52d508da.

DHL Office. Please get your parcel NR.6161

The second campaign is the tradional failed package delivery style, in this case DHL coming from the spoofed email address <support@dhl.com>. Following subject are used:

DHL Office. Please get your parcel NR.6161
DHL Express. Please get your parcel NR.6161
DHL Express Services. You need to get a parcel NR. 3050
DHL International. You need to get a parcel NR. 3050
DHL Services. Please get your parcel NR. 1608
DHL Customer Services.  Please get your parcel NR. 3528

Body of the email:

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.

There is also a Spanish version of the campaign with the spoofed email address <support@dhl.es> with the subject “DHL servicios. Recibir parcela NR.82140″ and the email body:

Estimado Cliente

El mensajero de nuestra Compañía no pudo entregarle el envío en su domicilio.
Causa: Error en la indicación del domicilio de entrega.
Puede recibir su envío personalmente en la oficina de correos cercana a su domicilio.

Atención!
A esta carta se le adjunta una etiqueta postal. Usted debe imprimir la etiqueta para poder recibir el envío en la oficina de correos.

Gracias.
DHL servicios.

UPS Delivery Problem NR 66466.

The third campaign in also failed package delivery style but with UPS ‘branding’ from the spoofed from address <service@ups.com>. Subject is UPS Delivery Problem NR 66466 and and example of the body of the email:

Dear customer!

Unfortunately we were not able to deliver the package sent on the 24th of January in time
because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

The UPS and DHL trojans have the same MD5 are are the same variant. At the time of writting this article only 14 of the 40 AV engines pick up the trojan well.

Virus Total permlink and MD5:574f07d83aeae631834ff8279af8c1ed.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** <services@ups.com> (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** <services@dhl.com> (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

The email is send from the spoofed address <confirmation@myspace.com> and has the subjects:

MySpace Password Reset Confirmation!
MySpace Password Reset Confirmation! Order NR.4648.

The number at the end of the subject is choosen randomly and can change in case the subject contains an Order NR.

Body of the email:

Hey a ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

The attached document is named MySpace_document_10081.zip and contains the 36 kB big MySpace_document_10081.exe executable.

Virus Total permlink and MD5: cfd05a493ccab7d5928ba9bf7dec3d16.

The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

The email has the ZIP attachment named DHL_Label_da882.zip (charachters after DHL_Label_ are choosen randomly) that contains 32 kB big file DHL_Label_da882.exe.

At the time of writing only 14 of the 40 AV engines detect the virus at Virus Total. Virus Total permlink and MD5: 2ddd08612873d8217555f6c40ae32f51.