Deutsche Post email with attached ZIP file Postetikett contains trojan

September 26, 2011 1 Comment

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Deutsche Post. Sie mussen eine Postsendung abholen″. This seems to be a variant to the DHL and UPS delivery issues but now presented in the German language with Deutsche Post as carrier.

The email is send from the spoofed address “Deutsche Post <post@deutschepost.de>” and has the following body:

Lieber Kunde,

Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.

Vielen Dank!
Deutsche Post AG.

The attached ZIP file has the name Postetikett_DE43313.zip and contains the 40 kB large file Postetikett.exe.

The trojan is known as W32/Yakes.B!tr (Fortinet) or a variant of Win32/Kryptik.LJ (NOD32).

At the time of writing, only 2 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: df6b8f76fc0b76eaea9b104be1e28a70.

Filed under Malware, Viruses Tagged with , , , , ,

“United Parcel Service notification 48161” from UPS contains trojan

March 27, 2011 59 Comments

MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may vary, with more or less the same email characteristics of the previous campaign MX Lab posted earlier this week but with with a very low detection rate at the time of writing: only 5 of the 43 AV engines did detect the trojan at Virus Total!

The email is send from the spoofed addresses “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infoads@ups.com
infoad111@ups.com
infoad@ups.com
infosec@ups.com
infosec1@ups.com
infosec3@ups.com
infosec4@ups.com
infoser@ups.com
infoser1@ups.com
infoser2@ups.com
infoser3@ups.com
infoser4@ups.com
infosec8@ups.com

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attached ZIP file has the name UPS-document.zip and contains the 20 kB large file UPS-document.exe.

The trojan is known as Artemis!08BA3C182674 (MacAfee), Trj/CI.A (Panda).

Virus Total permalink and MD5: 08ba3c182674398cd2190cad5dc327ef.

The trojan will install itself on an infected computer and will obtain data from the following URLs:

  • http://109.94.220.52/lol2.exe
  • http://109.94.220.52/pod.exe
  • http://109.94.220.52/spm.exe
  • http://91.213.29.175/lol2.exe
  • http://91.213.29.175/pod.exe
  • http://91.213.29.175/spm.exe

For each of the files we have the following report:

lol2.exe:

FakeAlert-CN.gen.h (MacAfee), FraudTool.Win32.FakeRean.b (Vipree)
Virus Total permalink – MD5: 43b84209a37ebdee99996b073562203e

Will install the file %AppData%\pux.exe, modify registry, connects to IP 69.50.209.138 on port 80 and will request URL hxxp://vogunemymyko.com/1017000412

pod.exe:

Worm/Rorpian.A (AntiVir), W32/Worm-FAO!1B984534DCC8 (McAfee)
Virus Total permalink – MD5: 1b984534dcc8d761703437f10a9cf179

Will install the file %Temp%\srvB8.tmp, connects to IP 188.138.48.178 on port 80 and will request URL hxxp://188.138.48.178/service/listener.php?affid=50039

spm.exe:

Artemis!CCB935935C60 (MacAfee), W32/Spammer.AQZ.worm (Panda)
Virus Total permalink – MD5: ccb935935c60b7c931201daa9efd6af4

Will install the files %System%\mhmhbrog.dll and %System%\tmp.tmp, modify the registry, and make connections to the following IPs:

124.108.116.109, on port 25
67.195.168.31, on port 25
98.137.54.237, on port 25
98.139.54.60, on port 25
46.4.10.7, on port 8000 and 8001

This malware will also generate SMTP traffic from the spoofed email addresses:

  • <info1goyoy@ups.com>
  • <info47dynu@ups.com>
  • <info42s@ups.com>
  • <info2yu@ups.com>

This malicious payload will create the following files:

%CommonAppData%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Temp%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Templates%\472v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\Microsoft\conhost.exe
%AppData%\xbr.exe
%Temp%\srvC8.tmp
%System%\mtcaqnbx.dll
%System%\musawolc.dll

The following processes will be created:

conhost.exe: %AppData%\Microsoft\conhost.exe
xbr.exe: %AppData%\xbr.exe

The following hostnames are requested from the host database:

  • ponel.biz
  • itisformebaby.biz
  • zuzosahule.com
  • dafatesomyz.com
  • jumonevetode.com
  • gokuzajylot.com
  • lukofymela.com
  • jebuponip.com
  • quxovasuced.com
  • laqoduhisegu.com
  • xyseditacif.com
  • dihemehypuq.com
  • wylyxaqunowy.com
  • qepovexidysopy.com
  • bebecebyt.com
  • rumesexyzobuz.com
  • kyxiteruk.com
  • kexigulat.com
  • jarynokab.com
  • lefurasacaveta.com
  • cicabijyni.com
  • ridibasofetevi.com
  • sihorarofiqiha.com
  • ropunonic.com
  • xyxukinasacujo.com
  • tapahagupaji.com
  • zonotunev.com
  • raxukakudumow.com
  • vogunemymyko.com
  • zufonabubi.com
  • bynoripuqoxyl.com
  • kytelaticik.com
  • qyvexyhun.com
  • myhofociv.com
  • dalebihyku.com
  • kijyjajutava.com
  • decufysohyh.com
  • sezixalekur.com
  • lolypositole.com
  • hohimedag.com
  • hikiniribep.com
  • fyxinolydima.com
  • gonifyzadiby.com
  • wavupinycom.com
  • xykecolun.com
  • hisepelihyzex.com
  • xixeriwihat.com
  • vetidicawisos.com
  • dijipabamefuw.com
  • naxucerybaqecy.com
  • hegylocimemyja.com
  • roboralipijago.com
  • samykacagatet.com
  • fusipemura.com
  • sazulipum.com
  • fuxawekugygil.com

A connection attempt to itisformebaby.biz on port 8000 is executed and a connection is established to the IP 188.138.48.178 on port 80 with the request service/listener.php?affid=50039.

The following HTTP URLs were started reading:

  • hxxp://vogunemymyko.com/1017000412
  • hxxp://zufonabubi.com/1017000412
  • hxxp://bynoripuqoxyl.com/1017000412
  • hxxp://kytelaticik.com/1017000412
  • hxxp://qyvexyhun.com/1017000412
  • hxxp://myhofociv.com/1017000412
  • hxxp://dalebihyku.com/1017000412
  • hxxp://kijyjajutava.com/1017000412
  • hxxp://decufysohyh.com/1017000412
  • hxxp://sezixalekur.com/1017000412
  • hxxp://lolypositole.com/1017000412
  • hxxp://hohimedag.com/1017000412
  • hxxp://hikiniribep.com/1017000412
  • hxxp://fyxinolydima.com/1017000412
  • hxxp://gonifyzadiby.com/1017000412
  • hxxp://wavupinycom.com/1017000412
  • hxxp://xykecolun.com/1017000412
  • hxxp://hisepelihyzex.com/1017000412
  • hxxp://xixeriwihat.com/1017000412
  • hxxp://vetidicawisos.com/1017000412
  • hxxp://dijipabamefuw.com/1017000412
  • hxxp://naxucerybaqecy.com/1017000412
  • hxxp://hegylocimemyja.com/1017000412
  • hxxp://roboralipijago.com/1017000412
  • hxxp://samykacagatet.com/1017000412
  • hxxp://fusipemura.com/1017000412
  • hxxp://sazulipum.com/1017000412
  • hxxp://fuxawekugygil.com/1017000412

Filed under Malware, Viruses Tagged with , , , ,

Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan

May 26, 2010 1 Comment

A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or  ”Delivery Problem NR2204780″ has made that MX Lab noted the highest virus detection rate since months.

The possible subjects are (numbers are random):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

The following modules will be loaded into the address space of other process(es):

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

The trojan can establish a remote connection with the following hosts on port 80:

85.87.17.230
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.

Filed under Viruses Tagged with , , , , , , , ,

New UPS trojan detected: TrojanSpy.ZBot.DGI

March 2, 2009 2 Comments

Posting updated on 10 March 2009. Read the new information at the end of this posting.

MX Lab intercepted a  few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service <tracking@ups.com>”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.

Filed under Viruses Tagged with , , , ,

New UPS trojan variant: Delivery problems

January 11, 2009 8 Comments

A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service <tracking@ups.com>.

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

Filed under Viruses Tagged with , , ,

ZBot trojan attached to contract

July 26, 2008 1 Comment

A new variant of the ZBot trojan is attached to an email with your contract details. Possible subject lines are:

Contract of settlements
Contract of retirements
Permit for retirement
Loan contract

The contents of the message:

Dear customers,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract. If necessary, we can send it by fax. 

Looking forward to your decision.
Israel Bender

Virus Total permalink and MD5 hash: c0a907c8bf64d60bec0cce934ca60a34

Filed under Viruses Tagged with , , , , , , , , ,

UPS Tracking number trojan – another variant and Hallmark e-card

July 23, 2008 5 Comments

There is a new variant of the UPS Tracking number trojan on route. The subject is now “[RE] UPS Tracking Number 7056968807″ but the contents remains the same. The URL that is used by the trojan is slightly different, the host remails the same, the folder structure and the .bin file on the site is different: http://***********.ru/offshore/denis.bin. The number in the subject and file can be random.

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

Filed under Spam, Viruses Tagged with , , , , , , , , ,

UPS Tracking number trojan – new variant

July 21, 2008 37 Comments

Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus Version Last Update Result
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 -
Authentium 5.1.0.4 2008.07.21 -
Avast 4.8.1195.0 2008.07.21 -
AVG 8.0.0.130 2008.07.21 -
BitDefender 7.2 2008.07.21 -
CAT-QuickHeal 9.50 2008.07.21 -
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 -
eSafe 7.0.17.0 2008.07.21 Suspicious File
eTrust-Vet 31.6.5971 2008.07.21 -
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 -
F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 -
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5343 2008.07.21 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 -
Panda 9.0.0.4 2008.07.21 -
PCTools 4.4.2.0 2008.07.21 -
Prevx1 V2 2008.07.22 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2
VirusBuster 4.5.11.0 2008.07.21 -
Webwasher-Gateway 6.6.2 2008.07.21 -

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

Filed under Viruses Tagged with , , , , , , ,

UPS Tracking number trojan

July 20, 2008 49 Comments

When you receive an email from UPS regarding a package that can’t be delivered due to an incorrect recipients address you better watch out. The chance is very likely that this is a new variant of a trojan trying to get your attention and to infect your computer.

 null

The messages contains the text:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file.  This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.

Here are the complete results from Virus Total:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.1.11 2008.07.20 -
Authentium 5.1.0.4 2008.07.20 W32/Agent.HFN
Avast 4.8.1195.0 2008.07.20 -
AVG 8.0.0.130 2008.07.19 Dropper.Generic.VGK
BitDefender 7.2 2008.07.20 -
CAT-QuickHeal 9.50 2008.07.18 -
ClamAV 0.93.1 2008.07.20 -
DrWeb 4.44.0.09170 2008.07.20 -
eSafe 7.0.17.0 2008.07.20 Suspicious File
eTrust-Vet 31.6.5966 2008.07.18 -
Ewido 4.0 2008.07.20 -
F-Prot 4.4.4.56 2008.07.20 W32/Agent.HFN
F-Secure 7.60.13501.0 2008.07.20 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.20 -
GData 2.0.7306.1023 2008.07.20 -
Ikarus T3.1.1.34.0 2008.07.20 Trojan-Dropper.Win32.Delf.aef
Kaspersky 7.0.0.125 2008.07.20 -
McAfee 5342 2008.07.18 -
Microsoft 1.3704 2008.07.20 -
NOD32v2 3282 2008.07.19 -
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.20 -
Prevx1 V2 2008.07.20 -
Rising 20.53.62.00 2008.07.20 -
Sophos 4.31.0 2008.07.20 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.20 -
TheHacker 6.2.96.385 2008.07.19 -
TrendMicro 8.700.0.1004 2008.07.18 -
VBA32 3.12.8.1 2008.07.20 -
VirusBuster 4.5.11.0 2008.07.19 Packed/Pohernah
Webwasher-Gateway 6.6.2 2008.07.20 Win32.Malware.gen#ASPack (suspicious)

Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.

Filed under Viruses Tagged with , , , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 108 other followers