Emails Western Union Service contains Bredolab

November 30, 2009 by mxlab 1 Comment

After a relative low virus detection for more than a week, MX Lab started to intercepted a new virus outbreak of Bredolab in emails regarding a Western Union money transfer. The malware is named Bredolab.gen.a (McAfee), TrojanDownloader:Win32/Bredolab.X (Microsoft),  Mal/Krap-B (Sophos) or Trojan.Bredolab!gen3 (Symantec).

The spoofed from address is in the form of Manager Ginger Patrick <customer@westernunion.com> where the name of the person is random.

The email has the subject:

Western Union Service. Please get your money. Order NR.4560
Western Union Service. You can receive money transfer. Order NR.5606
Western Union Service. You should receive money transfer. Order NR.0743
Western Union Service. Your money transfer details!. Order NR.4560
Western Union Service. You need to get money! Order NR.5606
Western Union Service. MTCN Details. Order NR.3365

The order numbers will change with each email and are choosen randomly.

The body of the email:

Dear customer.

The amount of money transfer: 4675 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number and receiver’s details in document attached to this email.

Western Union.
Financial Services.

The email contains the attachment WU_Details_db6ec.zip with the executable WU_Details_db6ec.exe in the archive.

Virus Total permlink and MD5: 0307d603cef4c524c3b05417387dfdec

Filed under Viruses Tagged with , , , ,

New Western Union MTCN trojan

May 26, 2009 by mxlab Leave a Comment

MX Lab intercepted a new ZBot trojan today that is being distributed in the famous “Western Union MTCN” format. The message subject is “Western Union Transfer MTCN: 5815328212″. The attached file is a compresses zip archive WesternUnion_SPL90710021.zip containing the malware WesternUnion_SPL90710021.exe. Please note that the numbers in the subject line and/or attachment and executable can change.

The body of the email contains:

Dear customer!

The money transfer you have sent on the 20th of April wasn’t received by the recipient.
According to the Western Union contract the transfers which are not collected in 15 days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

When we submitted the virus sample to Virus Total, on 26/05/2009 at 21:27:10 (UTC), we only had 6 of the 40 AV engines detecting the malware. When looking at the details and virus naming we assume that they are being detected by some heuristic features that the AV engines have: Gen:Trojan.Heur.3004FB9EBC (BitDefender, GData), Suspicious file (Panda), (Suspicious) – DNAScan (CAT-QuickHeal). A-Squared and Microsoft have a real virus name: Gen.Trojan!IK and TrojanDownloader:Win32/Bredolab.G.

The trojan will create the following files:

%AppData%\wiaserva.log 
 %Temp%\WER699f.dir00\appcompat.txt 
%Temp%\WER699f.dir00\explorer.exe.hdmp
%Temp%\WER699f.dir00\explorer.exe.mdmp 
%Temp%\WER699f.dir00\manifest.txt 
%System%\wbem\grpconv.exe 

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directy is created: %Temp%\WER699f.dir00.
A new process is created in the system: %System%\wbem\grpconv.exe along with some Windows registry modifications.

The following URL is being used: hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

Virus Total permalink and MD5 hash: 53d15dc652a2534572981bab1e2eddf3.

Filed under Viruses Tagged with , , , , ,

Western Union MTCN trojan variant

May 13, 2009 by mxlab 1 Comment

MX Lab intercepted emails with attached malware Trojan-Spy.Win32.Zbot.tnt regarding a failed money transfer that is handled by Western Union. The email subject is “Western Union Transfer MTCN: 9439449215″ – note that the number is random and will change with each message – and is coming from support@westernunion.com – is obviously spoofed.

The body of the email:

Dear Client!

 

The money transfer you have sent on the 9th of March has not been received by the recipient.

According to the Western Union contract the transfers which are not collected in 15 business days are to be returned to sender.

To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union agency.

 

Thank you!

The email has a Zip file attached with the name Invoice_8773.zip which contains the executable Invoice_8773.exe. The malware has the same characteristics as our previous malware detection in the past.

VirusTotal permalink and MD5:fa491105bd5c3baedad78f28586ff91e.

Filed under Viruses Tagged with , , , ,