New Bredolab variant in email regarding DHL parcel delivery problems

December 7, 2009 by mxlab 1 Comment

MX Lab started to intercept new variants of Bredolab in emails regarding DHL parcel delivery problems. The emails comes from the spoofed address Manager Youg Steward <parcel@dhl-usa.com> (name is choosen randomly).

The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

The email has the ZIP attachment named DHL_Label_da882.zip (charachters after DHL_Label_ are choosen randomly) that contains 32 kB big file DHL_Label_da882.exe.

At the time of writing only 14 of the 40 AV engines detect the virus at Virus Total. Virus Total permlink and MD5: 2ddd08612873d8217555f6c40ae32f51.

Filed under Viruses Tagged with , , , ,

DHL Tracking Number 3YMH6JJY contains trojan

November 10, 2009 by mxlab 22 Comments

MX Lab intercepted a large amount of emails with the subject “DHL Tracking Number 3YMH6JJY” containing the trojan TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), Trojan.Kobka.E (GData), AVG (SHeur2.BQSN() or Troj/Agent-LQA (Sophos).

The contents of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

The attachment is named 3YMH6JJY.zip and contains the file 3YMH6JJY.exe, 56 kB big. The threat has the characteristics of ZBot, a trojan that disables firewall, steals sensitive financial data makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. The trojan can communicate with a remote SMTP server for sending out emails.

The following files are being created:

c:\2.tmp
c:\6.tmp
%AppData%\wiaservg.log
%Temp%\2515696084.exe
%Temp%\b2jp5k.exe
%Temp%\debug.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\taskmgr.exe
%Temp%\win32.exe
%Temp%\winamp.exe
%Temp%\g260h.exe
%Temp%\habnf88jkefh87ifiks.tmp
%Temp%\jisfije9fjoiee.tmp
%Temp%\ogxyx.exe
%Temp%\pskfo83wijf89uwuhal8.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys
%System%\ntos.exe
%System%\p2hhr.bat
%System%\wbem\grpconv.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%System%\z7v89qurrt.dll

The following file was deleted: %System%\grpconv.exe.
The following file was modified: %System%\drivers\ndis.sys.
The following directory was created: %System%\wsnpoem.

Following processes are created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe
%Temp%\g260h.exe
%Temp%\winamp.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\ogxyx.exe

A new memory page created in the address space of the system process(es): %System%\svchost.exe.
The following module was loaded into the address space of other process(es): %System%\z7v89qurrt.dll with process name: IEXPLORE.EXE.

Connections to remore hosts:

12.191.105.50 port 25
12.49.129.230 port 25
207.58.165.84 port 25
209.128.32.160 port 25
209.181.247.105 port 25
209.85.135.27 port 25
216.130.106.200 port 25
24.106.49.86 port 25
62.72.96.41 port 25
64.183.119.211 port 25
72.9.145.85 port 80
94.75.207.170 port 80
94.75.228.136 port 80
78.159.121.41 port 38811

The following URLs are requested from the remote web server:

* hxxp://www.panel911.com/traffic/in.cgi?google2
* hxxp://virtualmits.com/ndw/vp1.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v12
* hxxp://virtualmits.com/ndw/ndw.php?id=1-1CA6197986CAB58&ver=v12
* hxxp://1job1.cn/us4/error
* hxxp://1job1.cn/us4/us4.php?1=computername_0001e9af&i=
* hxxp://1job1.cn/l/controller.php?action=bot&entity_list=&uid=3&first=1&guid=13441600&v=15&rnd=6293712
* hxxp://1job1.cn/us4/us4.php?2=computername_0001e9af&n=1&v=16778496&i=&s=0&sp=0&lcp=0&pr=0
* hxxp://1job1.cn/l/controller.php?action=report&guid=0&rnd=6293712&uid=3&entity=1257509694:unique_start
* hxxp://1job1.cn/l2/2.php
* hxxp://1job1.cn/l2/1.php
* hxxp://1job1.cn/us4/us4.exe
* hxxp://1job1.cn/x.exe
* hxxp://1job1.cn/l2/stat.php

SMTP traffic will be generated from following email addresses:

  • <undersellsgq0@royaldevice.com>
  • <blackballedvm6@rotaerota.com>
  • <reciprocallydo@roispy.com>
  • <frankingoc6485@rmservicing.com>
  • <rackn84@rmanet.com>
  • <wrongdoinglq@rhgmarketing.com>
  • <kazooo@roxcel-usa.com>
  • <ladybirdwtz01@restaurantesol.com>
  • <pleadyl76@rotodiff.com>
  • <deflectorsoj@ramcaterers.com>
  • <demolishedlx@robinson-pilaw.com>
  • <foreordainingg7@rcalum.com>
  • <dismisseseic2@rosenfeldlaw.com>
  • <epitomizezm2@roldeco.com>
  • <dashinglyl8@regenesis-rehab.com>
  • <tattyttg74@rocorpn.com>

Virus Total permlink and MD5:  08ba612f05b0433a4a5ca2df4da38deb.

Filed under Viruses Tagged with , , ,

New DHL trojan variant in the wild

August 17, 2009 by mxlab Leave a Comment

MX Lab has intercepted messages with the subject line “DHL Delivery problem NR ****”, where **** stands for random generated characters, probably to give the idea that these are tracking numbers of the package. The From address contains randomly choosen spoofed email addresses but no direct track to DHL.

The body of the email:

Dear customer!

We failed to deliver the postal package sent on the 28th of June in time
because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our office.

Your DHL Delivery Services.

The email has a ZIP file attached that starts with the letter “D” followed by random generated characters, for ex. D1c8020fd.zip, and contains the trojan W32/Troj_Obfusc.J.gen!Eldorado (F-Prot), TrojanDownloader:Win32/Bredolab.X (Microsoft), Mal/Behav-340 (Sophos).

Only  8 of the 41 AV engines at Virus Total detected the trojan at the time of investigating this new threat so be carefull because it is likely that your AV engine isn’t up to date yet.

VirusTotal permlink and MD5: e9a23f7e7850257398b2021b927f706b.

Filed under Viruses Tagged with , , , ,

New variant W32/Trojan3.AKD attached with the DHL tracking email message

March 27, 2009 by mxlab 7 Comments

A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.

The content of the email remains mostly unchanged:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Shawn Pina,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The following directories are created:

  • %System%\lowsec
  • %Windir%\Temp\Cookies
  • %Windir%\Temp\History
  • %Windir%\Temp\History\History.IE5
  •  %Windir%\Temp\Temporary Internet Files
  • %Windir%\Temp\Temporary Internet Files\Content.IE5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
  •  %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5

Created files in the infected system:

  • %Windir%\9g234sdff3d23dfgjf23 
  •  %Windir%\ld03.exe 
  • %Windir%\pp05.exe 
  • %System%\dll32.dll
  • %System%\lowsec\local.ds 
  • %System%\lowsec\user.ds 
  • %System%\nfr.assembly
  • %System%\nfr.gpref 
  • %System%\sdra64.exe
  • %Windir%\t55ft2809f44.dat 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat 
  • %Windir%\tt_1238184223.exe  (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])

New processed are created:

  • pp05.exe (%Windir%\pp05.exe)
  • tt_1238184236.exe (%Windir%\tt_1238184236.exe)

Windows registry changes are being made and connections to remote hosts are established on port 80:

  • 119.110.107.136
  • 207.36.57.81
  • 212.36.9.1
  • 66.102.11.147
  • 85.13.236.154
  • 91.212.65.5
  • 92.62.101.17

Following URLs can be requested that host malicious content:

* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php

Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.

Filed under Viruses Tagged with , ,

Email with DHL tracking number contains W32/Trojan3.AKC trojan

March 26, 2009 by mxlab 28 Comments

MX Lab intercepted a  few messages that claim that the delivery of the postal package that is handled by DHL has failed due to an incorrect recipient address.

The subject contains “DHL Tracking number #05CME637072VHBD”, the attachment is named DHL_HELP.zip and the body of the email contains the following message:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Christy Block,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Virus Total permlink and MD5: 469585cf90d45d43566aed92c21807ed.

Filed under Viruses Tagged with , , , ,