mxlab - all about anti virus and anti spam » virus

Emails with 30-day trials of McAfee VirusScan Plus contains trojan

mxlab — Wed, 28 Jul 2010 09:19:11 +0000

MX Lab intercepted emails with the subject “McAfee VirusScan Plus” that contains a virus. The from address is in the format “xxx.be Member Services” but the real SMTP from address comes primary from the domains rote-rose.com and rotary1918.com at this time of writing.

The body of the email:

Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win

Installation file attached

The email contains the attachment setup.zip that contains the 144 kB large file setup.exe.

The trojan is known as Mal/Behav-321 (Sophos), TROJ_FAKEAV.SMXG (TrendMicro), W32/Trojan3.BWP (Authentium).

VirusTotal permlink and MD5: d3de1f75b8151c284ab04819994c0dc9.

Adobe Flash malware in what appears as phishing emails

mxlab — Fri, 23 Jul 2010 17:28:11 +0000

MX Lab intercepted some emails that appear to be genuine phishing emails but when investigating the included URLs further, they are in fact an attempt to install malware on a computer in the form of an important Flash Player update from Adobe.

Online Banking Account Alert

The first example comes from the spoofed email address “Electronic Payments Association ” with the subject “Online Banking Account Alert!” and this is the body of the email:

You must submit verification documents to continue using your account without interruption. To view the details of this request and submit the required information, click on the following link (or copy & paste it into your web browser):

hxxp://astroereyna.gr/

We thank you for your assistance in this matter.

When visiting the web site with Firefox we got the message “Sorry, you need to install flash player to see this content…” and our donwload manager opened to download the file adobe_flash_install.exe. This is the code of the web site page:

Sorry, you need to install flash player to see this content...

However, on Safari we got an HTML frameset to access the web site. It appears that some Javascript redirection is active.

An unauthorized transaction billed from your bank account

The second example comes from the spoofed address “Electronic Payments Association ”, has the subject “An unauthorized transaction billed from your bank account” and this is the body of the email:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

——————————————————————

Copyright ©2010 by NACHA – The Electronic Payments Association

The text “Unauthorized ACH Transaction Report” contains a link to a fast flux domain. Following the link gives us the following screen in the browser, included with an download of the file adobe_flash_install.exe.

At the time of writing, no AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: 97732f717f50c38714a3f9c8d8c6274a.

Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”

mxlab — Sat, 17 Jul 2010 16:43:17 +0000

MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.

The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

The Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

hxxp://www.kollo.ch/images/cgi.exe
hxxp://musiceng.ru/music/forum/index1.php
hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

New trojan variant in mails with “Look my CV. Thank you!”

mxlab — Mon, 14 Jun 2010 15:44:44 +0000

MX Lab intercepts a new trojan variant in emails with the subject “Look my CV. Thank you! MyID NR4557547.”.

Possible subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

The number at the end of the subject is choosen randomly and the from email address is spoofed.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.

The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).

The following files are created:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

The following modules are loaded into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the following IPs on port 80:

195.78.109.6
212.78.71.81
95.211.98.246

Data is downloaded from the following hosts:

hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.

The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

The following files are created:

%Windir%\dsmd32.dll

The following modules are loaded into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the IP 95.211.98.246 on port 80.

13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.

Email “Statement of fees 2009/2010″ contains trojan

mxlab — Fri, 11 Jun 2010 05:04:27 +0000

MX Lab intercepts a new trojan variant in emails with the subject “Statement of fees 2009/2010″. The trojan is known as Trojan.Sasfis (Symantec), Suspicious:W32/Malware!Gemini (F-Secure) or Mal/Zbot-U (Sophos).

The body of the email:

Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Fred Brooks

The trojan is packed in the ZIP archive Statement_of_Fees_2009-2010.zip. Once extracted, an 52 kB large file Statement_of_Fees_2009-2010.DOC.exe is available.

The following files are created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp

The following registry will be created:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry will be modified:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
+ Shell =

Connection with remote hosts 193.105.174.108 and 59.53.91.195 are established over port 80 and the following URLs are requested:

* hxxp://hulejsoops.ru/images/bb.php?v=200&id=828459563&b=b_27_spa&tm=1
* hxxp://russianmomds.ru/bot.exe

Out of the 41 AV engines at Virus Total, only 11 detect the trojan. Virus Total permlink and MD5: 180a8d1991c5dbbc01f883e5254fba0f.

When investigating the downloaded file bot.exe, 172 kB, which is obviously malware, we did found the following information.

The threat is known as Trojan-Downloader:W32/Piker.A (F-Secure), Mal/Zbot-U (Sophos), TROJ_ZBOT.BAK (Trend Micro) or TR/PSW.Zbot.173056.R.1 (AntiVir).

The following file is created:

%System%\sdra64.exe

The following hidden files are created:

%System%\lowsec\local.ds
%System%\lowsec\user.ds
%System%\lowsec\user.ds.lll

New memory pages created in the address space of the system process(es):

%System%\svchost.exe
%System%\services.exe
%System%\lsass.exe
%System%\alg.exe

The following URLs are requested:

* hxxp://www.oomseekerss.ru/img/konf.bin
* hxxp://www.oomseekerss.ru/cppp.php

29 out of the 41 AV engines did detect the treath. Virus Total permlink and MD5: f5e18b513d5b41b4905b5e216094cf9e.

New Oficla trojan in messages with subject “Changelog 07.06.2010″

mxlab — Tue, 08 Jun 2010 16:16:49 +0000

MX Lab intercepted a new variant of the trojan Oficla in messages with the subject “Changelog 07.06.2010″. The from address is spoofed and choosen randomly.

Some samples of the email body:

Hello,
as promised,
Willis

Dear ladies and gentlemen,
as promised,
Jolene

Good morning,
as promised,
Jolene

The message contains the file Changelog_07.06.20010.zip. The archive contains the 52 kB large file Changelog_07.06.20010.DOC.exe file.

The trojan is known as Win32/Oficla.GN (NOD32), W32/Oficla.Z (F-Prot), Trojan:W32/Agent.DJOH (F-Secure) or Trojan.Win32.Oficla.av (Kaspersky).

Virus Total permlink and MD5: 08c70fb3db93d29a2edcbf1593ad48f8.

Email with subject “Outlook Setup Notification” contains trojan

mxlab — Wed, 02 Jun 2010 19:53:28 +0000

MX Lab intercepted a few emails with the subject “Outlook Setup Notification”. The message contains instructions to re-configure Microsoft Outlook and to open the attached zip file.

The message comes from the spoofed email address: microsoft outlook support <****@****.com>.

The body of the email:

You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

The trojan is known as Win32/TrojanDownloader.FakeAlert.AXP (NOD32), W32/Trojan3.BUV (F-Prot), Trojan.TDss.AEJ (BitDefender) or Mal/FakeAV-CS (Sophos).

Virus Total permlink and MD5: 1c71e23c6932f7c2e0a32b241474fe7f.

Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan

mxlab — Wed, 26 May 2010 22:26:33 +0000

A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR2204780″ has made that MX Lab noted the highest virus detection rate since months.

The possible subjects are (numbers are random):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

The following modules will be loaded into the address space of other process(es):

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

The trojan can establish a remote connection with the following hosts on port 80:

85.87.17.230
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.

New trojan variant in “Thank you for buying iTunes Gift Certificate!” email

mxlab — Wed, 26 May 2010 14:49:12 +0000

MX Lab started to intercept a new campaign with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).

It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.

This distribution is sent from the spoofed email address iTunes Products .

The body of the email:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains the file ZIP archive Gift_Certificate_531.zip containing the 36 kB large executable Gift_Certificate_531.exe.

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\4.tmp
%Temp%\_check32.bat
%Windir%\Moxmact1.dll
%Windir%\s32.txt
%System%\aspimgr.exe
%Windir%\ws386.ini

A new process will be created on the system:

%System%\aspimgr.exe

The following modules will be loaded into the address space of other process(es):

%Windir%\Moxmact1.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E80000 – 0x1E91000

%Windir%\Moxmact1.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

New registry key creations:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum

The following registry keys are modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Shell =
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
- (Default) =
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
- (Default) =

The trojan can establish a remote connection with the following hosts on port 80:

128.175.82.88
195.78.108.203
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&b=26may&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&tid=11&b=26may&r=1&tm=2
* hxxp://porsche911start.ru:80/board.php
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/v106.exe
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

At the time of writing, 16 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 75809a70e8773d51c5b20dd0f7b8163e.

New malspam regarding your Amazon order: Your order has been paid! Parcel NR:58588-691

mxlab — Mon, 17 May 2010 08:22:45 +0000

MX Lab detected a new malware spam outbreak with the subject “Your order has been paid! Parcel NR:58588-691″regarding a payment towards Amazon. The malware is sent from a spoofed email address in the form of Amazon Manager Vaughn Montes .

The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).

The body of the email:

Dear Sirs,

Thank you for shopping at Amazon.com!

We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Sony Bravia S1452 ”

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Vaughn Montes, Amazon

The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.

The following files are created:

C:\Documents and Settings\User\Local Settings\Temp\1.tmp
C:\WINDOWS\system32\thxr.wgo

An HTTP request will be done to:

hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=2
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=3

At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.