Important Microsoft Security Update by email is malware

June 10, 2009 by mxlab Leave a Comment

We all know by now, I do hope so, that Microsoft distributes it’s updates throught their automated updated feature inside the Windows OS or by the Windows Update web site available in the Start menu. If you receive an email from Microsoft regarding an important security update that contains a link to some executable you should be aware that this is malware.

MX Lab intercepted a new sample of such an emails from “Microsoft Corporation <securitydept@microsoft.ssl.com>” with the subject “Important Windows Xp/Vista Security Update!”.

The message warns about a recent outbreak of the Conflicker worm that has infected 15 million Windows users and the fact that this worm has already been updated and harder to detect. The alleged security update notification recommend to install the removal tool remtool_conf.exe that can be downloaded from hxxp://windowsupdate.microsoft.com.ssl3.pop3.ru/remtool_conf.exe.

In the email are clear instructions on how to install the remtool_conf.exe:

Usage Instructions:
download file
click remtool_conf.exe and let it scan..
you are advised to disable your already existing antivirus software prior to running the removal tool to avoid conflicts.

The message also points to an online article of February 2009 at Network World to give the reader of the message the idea that this is a real threath. Well, the Conflicker worm is a threat but this removal tool won’t come to the rescue when your computer is infected.

When analysing the malware we got the following installation screen with the title Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA.

The malware will create the following files:

%Temp%\nsf3.tmp\webexplorer.exe
%Programs%\Startup\winupdate.exe
%System%\fixbrisa.log

And a directory at:

%Temp%\nsf3.tmp

New processes will be started:

fixbrisa.exe
webexplorer.exe
ns9.tmp

The Windows process wscsvc will be stopped and that’s the Windows Security Center.

The host hxxp://makemymoneys.com/install/winupdate.exe contacted. This is another malicious file of about 130 kB known as Suspicious.MH690 by Symantec.

Filed under Malware, Viruses Tagged with , , , ,

UPS Postal Service trojan still active

November 25, 2008 by mxlab 1 Comment

In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.

The emails hasn’t changed much, the subject is “Your Tracking # 877874077711″ (where the number is dyanimc and changes often) and the content of the body:

Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS

The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.

VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.

Filed under Viruses Tagged with , , ,

Email from Int. F.C.U contains trojan downloader

November 25, 2008 by mxlab Leave a Comment

Messages with the subject Re: F.C. Doc. contain an attached file Doc_N012.zip that contain according to F-Secure the Trojan-Downloader.Win32.Small.aglf or known as Mal/EncPk-CO by Sophos.

The contents of the email:

Hello, onkar-amodik.

We send the updated report.
Ssory for a delay.
Look the attached file.

Tel: 028663

Best regards,
Int. F.C.U.  mailto:scott@planetterragen.com

The unpacked zip file contains the file: Doc_N012.Doc______________________________________.exe. Please be aware that subjects, body of the email and file names can change when new variants emerge.

It is a threat that attempts to open backdoor and allows unauthorized access to an infected machine. It will create the file %Temp%\system.ex, creates a new process and adds itself to the registry so that it runs each time when the computer boots.

VirusTotal Permalink and MD5: 28c8d27cb9da210a5480618a57788dde.

Filed under Viruses Tagged with , , ,

Active key trojan

November 5, 2008 by mxlab Leave a Comment

Emails with the following subjects contain the Trojan.Downloader-58166, W32.SillyDC or Worm.Win32.AutoRun.rwo, depending on the anti virus engine, in the file active_key.zip. It is being detected by 12 of the 36 anti virus engines at Virus Total.

The Activation Keys
Recovery KEYS for your account 

Content:

Hello,

As you requested your account was held up. You can activate it any time with the help of the keys (they are in Word file) added to this letter.

Feel free to address to our offices in your place to get all your questions answered.

Virus Total permalink and MD5: 04cae49dfbfbfdcd1af74015c1003bb5.

Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched – either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.

The following file will be created: %ProgramFiles%\Microsoft Common\wuauclt.exe, some Windows registry changes will be made, the host name www.microsoft.com will be requested at the host database and connections can be made to the following hosts:

http://*****.ru/ld.php?v=1&rs=13441600&n=1&uid=1

http://*****.ru/ld.php?v=1&rs=13441600&n=1&uid=1.

Filed under Viruses Tagged with , , ,