Contract of settlements
Contract of retirements
Permit for retirement
Loan contract

The contents of the message:

Dear customers,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract. If necessary, we can send it by fax. 

Looking forward to your decision.
Israel Bender

Virus Total permalink and MD5 hash: c0a907c8bf64d60bec0cce934ca60a34

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.21.1	2008.07.21	-
AntiVir	7.8.1.11	2008.07.21	-
Authentium	5.1.0.4	2008.07.21	-
Avast	4.8.1195.0	2008.07.21	-
AVG	8.0.0.130	2008.07.21	-
BitDefender	7.2	2008.07.21	-
CAT-QuickHeal	9.50	2008.07.21	-
ClamAV	0.93.1	2008.07.21	-
DrWeb	4.44.0.09170	2008.07.21	-
eSafe	7.0.17.0	2008.07.21	Suspicious File
eTrust-Vet	31.6.5971	2008.07.21	-
Ewido	4.0	2008.07.21	-
F-Prot	4.4.4.56	2008.07.21	-
F-Secure	7.60.13501.0	2008.07.21	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.07.21	-
GData	2.0.7306.1023	2008.07.21	-
Ikarus	T3.1.1.34.0	2008.07.21	-
Kaspersky	7.0.0.125	2008.07.21	-
McAfee	5343	2008.07.21	-
Microsoft	1.3704	2008.07.22	-
NOD32v2	3284	2008.07.21	-
Norman	5.80.02	2008.07.21	-
Panda	9.0.0.4	2008.07.21	-
PCTools	4.4.2.0	2008.07.21	-
Prevx1	V2	2008.07.22	-
Rising	20.54.02.00	2008.07.21	-
Sophos	4.31.0	2008.07.21	-
Sunbelt	3.1.1536.1	2008.07.18	-
Symantec	10	2008.07.21	-
TheHacker	6.2.96.385	2008.07.20	-
TrendMicro	8.700.0.1004	2008.07.21	-
VBA32	3.12.8.1	2008.07.21	suspected of Malware-Cryptor.Win32.General.2
VirusBuster	4.5.11.0	2008.07.21	-
Webwasher-Gateway	6.6.2	2008.07.21	-

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

The messages contains the text:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file.  This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.

Here are the complete results from Virus Total:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.17.0	2008.07.18	-
AntiVir	7.8.1.11	2008.07.20	-
Authentium	5.1.0.4	2008.07.20	W32/Agent.HFN
Avast	4.8.1195.0	2008.07.20	-
AVG	8.0.0.130	2008.07.19	Dropper.Generic.VGK
BitDefender	7.2	2008.07.20	-
CAT-QuickHeal	9.50	2008.07.18	-
ClamAV	0.93.1	2008.07.20	-
DrWeb	4.44.0.09170	2008.07.20	-
eSafe	7.0.17.0	2008.07.20	Suspicious File
eTrust-Vet	31.6.5966	2008.07.18	-
Ewido	4.0	2008.07.20	-
F-Prot	4.4.4.56	2008.07.20	W32/Agent.HFN
F-Secure	7.60.13501.0	2008.07.20	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.07.20	-
GData	2.0.7306.1023	2008.07.20	-
Ikarus	T3.1.1.34.0	2008.07.20	Trojan-Dropper.Win32.Delf.aef
Kaspersky	7.0.0.125	2008.07.20	-
McAfee	5342	2008.07.18	-
Microsoft	1.3704	2008.07.20	-
NOD32v2	3282	2008.07.19	-
Norman	5.80.02	2008.07.18	-
Panda	9.0.0.4	2008.07.20	-
Prevx1	V2	2008.07.20	-
Rising	20.53.62.00	2008.07.20	-
Sophos	4.31.0	2008.07.20	-
Sunbelt	3.1.1536.1	2008.07.18	-
Symantec	10	2008.07.20	-
TheHacker	6.2.96.385	2008.07.19	-
TrendMicro	8.700.0.1004	2008.07.18	-
VBA32	3.12.8.1	2008.07.20	-
VirusBuster	4.5.11.0	2008.07.19	Packed/Pohernah
Webwasher-Gateway	6.6.2	2008.07.20	Win32.Malware.gen#ASPack (suspicious)

Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.