“DHL Express Services” – another trojan in the wild

April 3, 2011 13 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Express Services”

The email is send from the spoofed address “DHL Global” with the email:

supportmop@dhl.com
supportmop1@dhl.com

We expect that more new spoofed email addresses will appear in the format like the examples, based on the previous campaigns, with a number before the @-sign.

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 DHL Express Services, Inc.

The attached ZIP file has the name dhl.zip and contains the 20 kB large file dhl.exe.

The trojan is known as Gen:Variant.Kazy.17907 (Bitdefender), Backdoor:Win32/Hostil.gen!A (Microsoft) or Trj/Sasfis.A (Panda).

The following files will be created:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886
%AppData%\fip.exe

A new process is created:

fip.exe —> %AppData%\fip.exe

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

216.155.130.214
46.161.20.66

Data can be obtained from following URLs:

  • hxxp://tazejutyhyfu.com/1017000312
  • hxxp://puskovayaustanovka.ru/pusk2.exe

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 87d778169ae14d934b92ce628b5cfde4.

Analysis of the file pusk.exe:

The trojan is known as Gen: Mal/Behav-321 (Sophos), TrojanDropper.Mudrop.ozh (VBA32), FraudTool.Win32.FakeRean.b (v) (VIPRE)

This malware will create the files:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886

A new process will be created:

jfe.exe —-> %AppData%\jfe.exe

It will modify the Windows registry and the trojan can establish connection 216.155.130.214 op port 80.

it will request data from hxxp://tazejutyhyfu.com/1017000312.

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2ac3a5bb8e7eb81cb306f869207eb69b.

Filed under Malware, Viruses Tagged with , , , ,

New Bredolab variant in email regarding DHL parcel delivery problems

December 7, 2009 1 Comment

MX Lab started to intercept new variants of Bredolab in emails regarding DHL parcel delivery problems. The emails comes from the spoofed address Manager Youg Steward <parcel@dhl-usa.com> (name is choosen randomly).

The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

The email has the ZIP attachment named DHL_Label_da882.zip (charachters after DHL_Label_ are choosen randomly) that contains 32 kB big file DHL_Label_da882.exe.

At the time of writing only 14 of the 40 AV engines detect the virus at Virus Total. Virus Total permlink and MD5: 2ddd08612873d8217555f6c40ae32f51.

Filed under Viruses Tagged with , , , ,

DHL Tracking Number 3YMH6JJY contains trojan

November 10, 2009 22 Comments

MX Lab intercepted a large amount of emails with the subject “DHL Tracking Number 3YMH6JJY” containing the trojan TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), Trojan.Kobka.E (GData), AVG (SHeur2.BQSN() or Troj/Agent-LQA (Sophos).

The contents of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

The attachment is named 3YMH6JJY.zip and contains the file 3YMH6JJY.exe, 56 kB big. The threat has the characteristics of ZBot, a trojan that disables firewall, steals sensitive financial data makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. The trojan can communicate with a remote SMTP server for sending out emails.

The following files are being created:

c:\2.tmp
c:\6.tmp
%AppData%\wiaservg.log
%Temp%\2515696084.exe
%Temp%\b2jp5k.exe
%Temp%\debug.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\taskmgr.exe
%Temp%\win32.exe
%Temp%\winamp.exe
%Temp%\g260h.exe
%Temp%\habnf88jkefh87ifiks.tmp
%Temp%\jisfije9fjoiee.tmp
%Temp%\ogxyx.exe
%Temp%\pskfo83wijf89uwuhal8.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys
%System%\ntos.exe
%System%\p2hhr.bat
%System%\wbem\grpconv.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%System%\z7v89qurrt.dll

The following file was deleted: %System%\grpconv.exe.
The following file was modified: %System%\drivers\ndis.sys.
The following directory was created: %System%\wsnpoem.

Following processes are created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe
%Temp%\g260h.exe
%Temp%\winamp.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\ogxyx.exe

A new memory page created in the address space of the system process(es): %System%\svchost.exe.
The following module was loaded into the address space of other process(es): %System%\z7v89qurrt.dll with process name: IEXPLORE.EXE.

Connections to remore hosts:

12.191.105.50 port 25
12.49.129.230 port 25
207.58.165.84 port 25
209.128.32.160 port 25
209.181.247.105 port 25
209.85.135.27 port 25
216.130.106.200 port 25
24.106.49.86 port 25
62.72.96.41 port 25
64.183.119.211 port 25
72.9.145.85 port 80
94.75.207.170 port 80
94.75.228.136 port 80
78.159.121.41 port 38811

The following URLs are requested from the remote web server:

* hxxp://www.panel911.com/traffic/in.cgi?google2
* hxxp://virtualmits.com/ndw/vp1.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v12
* hxxp://virtualmits.com/ndw/ndw.php?id=1-1CA6197986CAB58&ver=v12
* hxxp://1job1.cn/us4/error
* hxxp://1job1.cn/us4/us4.php?1=computername_0001e9af&i=
* hxxp://1job1.cn/l/controller.php?action=bot&entity_list=&uid=3&first=1&guid=13441600&v=15&rnd=6293712
* hxxp://1job1.cn/us4/us4.php?2=computername_0001e9af&n=1&v=16778496&i=&s=0&sp=0&lcp=0&pr=0
* hxxp://1job1.cn/l/controller.php?action=report&guid=0&rnd=6293712&uid=3&entity=1257509694:unique_start
* hxxp://1job1.cn/l2/2.php
* hxxp://1job1.cn/l2/1.php
* hxxp://1job1.cn/us4/us4.exe
* hxxp://1job1.cn/x.exe
* hxxp://1job1.cn/l2/stat.php

SMTP traffic will be generated from following email addresses:

  • <undersellsgq0@royaldevice.com>
  • <blackballedvm6@rotaerota.com>
  • <reciprocallydo@roispy.com>
  • <frankingoc6485@rmservicing.com>
  • <rackn84@rmanet.com>
  • <wrongdoinglq@rhgmarketing.com>
  • <kazooo@roxcel-usa.com>
  • <ladybirdwtz01@restaurantesol.com>
  • <pleadyl76@rotodiff.com>
  • <deflectorsoj@ramcaterers.com>
  • <demolishedlx@robinson-pilaw.com>
  • <foreordainingg7@rcalum.com>
  • <dismisseseic2@rosenfeldlaw.com>
  • <epitomizezm2@roldeco.com>
  • <dashinglyl8@regenesis-rehab.com>
  • <tattyttg74@rocorpn.com>

Virus Total permlink and MD5:  08ba612f05b0433a4a5ca2df4da38deb.

Filed under Viruses Tagged with , , ,

New DHL trojan variant in the wild

August 17, 2009 Leave a Comment

MX Lab has intercepted messages with the subject line “DHL Delivery problem NR ****”, where **** stands for random generated characters, probably to give the idea that these are tracking numbers of the package. The From address contains randomly choosen spoofed email addresses but no direct track to DHL.

The body of the email:

Dear customer!

We failed to deliver the postal package sent on the 28th of June in time
because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our office.

Your DHL Delivery Services.

The email has a ZIP file attached that starts with the letter “D” followed by random generated characters, for ex. D1c8020fd.zip, and contains the trojan W32/Troj_Obfusc.J.gen!Eldorado (F-Prot), TrojanDownloader:Win32/Bredolab.X (Microsoft), Mal/Behav-340 (Sophos).

Only  8 of the 41 AV engines at Virus Total detected the trojan at the time of investigating this new threat so be carefull because it is likely that your AV engine isn’t up to date yet.

VirusTotal permlink and MD5: e9a23f7e7850257398b2021b927f706b.

Filed under Viruses Tagged with , , , ,

New variant W32/Trojan3.AKD attached with the DHL tracking email message

March 27, 2009 9 Comments

A new trojan variant is attached to the malicious DHL tracking emails. The trojan is known as W32/Trojan3.AKD and the attached zip file name is changed to dhl_n756512.zip.

The content of the email remains mostly unchanged:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Shawn Pina,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The following directories are created:

  • %System%\lowsec
  • %Windir%\Temp\Cookies
  • %Windir%\Temp\History
  • %Windir%\Temp\History\History.IE5
  •  %Windir%\Temp\Temporary Internet Files
  • %Windir%\Temp\Temporary Internet Files\Content.IE5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L
  •  %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5

Created files in the infected system:

  • %Windir%\9g234sdff3d23dfgjf23 
  •  %Windir%\ld03.exe 
  • %Windir%\pp05.exe 
  • %System%\dll32.dll
  • %System%\lowsec\local.ds 
  • %System%\lowsec\user.ds 
  • %System%\nfr.assembly
  • %System%\nfr.gpref 
  • %System%\sdra64.exe
  • %Windir%\t55ft2809f44.dat 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\APS9AFKV\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\AZQ50B2L\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\IT4VWXQ5\desktop.ini
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\M5U5URM5\desktop.ini 
  • %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat 
  • %Windir%\tt_1238184223.exe  (known as Trojan.Fakeavalert [Symantec] packed with PE_Patch.UPX [Kaspersky Lab])

New processed are created:

  • pp05.exe (%Windir%\pp05.exe)
  • tt_1238184236.exe (%Windir%\tt_1238184236.exe)

Windows registry changes are being made and connections to remote hosts are established on port 80:

  • 119.110.107.136
  • 207.36.57.81
  • 212.36.9.1
  • 66.102.11.147
  • 85.13.236.154
  • 91.212.65.5
  • 92.62.101.17

Following URLs can be requested that host malicious content:

* hxxp://wnames0603.com/achcheck.php
* hxxp://wnames0603.com/ld/gen.php
* hxxp://nettresults.com/vtb.exe
—> W32/Trojan-Sml-SDCW!Eldorado, W32.Koobface.A
* hxxp://intelfarm.com/1/nfr.exe
—> Trojan.Dropper.Gen, Trojan.Fakeavalert
* hxxp://intelfarm.com/1/pp.05.exe
—> W32/Trojan-Sml-IWW!Eldorado, W32.Koobface.A
* hxxp://85.13.236.154/v50/search.php?p=11180&s=I&v=56&uid=13441600&q=
* hxxp://mn-room.ru/phpbb/dir.cfg
* hxxp://92.62.101.17/phpbb2/dir.php

Virus Total permlink and MD5: 4b00c328a526f20acc801f46b69f2e78.

Filed under Viruses Tagged with , ,

Email with DHL tracking number contains W32/Trojan3.AKC trojan

March 26, 2009 47 Comments

MX Lab intercepted a  few messages that claim that the delivery of the postal package that is handled by DHL has failed due to an incorrect recipient address.

The subject contains “DHL Tracking number #05CME637072VHBD”, the attachment is named DHL_HELP.zip and the body of the email contains the following message:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Christy Block,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Virus Total permlink and MD5: 469585cf90d45d43566aed92c21807ed.

Filed under Viruses Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 108 other followers