New Paypal phish contains fake order and payment details to mislead receiver

At MX Lab we intercept quite often very good phishing emails. This newest PayPal phishing email came to our attention because it contains a false order and payment transaction in order to mislead the intented receiver.

The intented receiver will open such a message and notice that a payment has been done towards, in this case, the account robertoelectronics for $440. Of course, the receiver will try to stop this transaction and use the Dispute Transaction link further down below.

Here is where the phishing starts. The URL points to a site hosted on a server with IP address hxxp://

Be aware that with such messages you should be extra carefull. Take a look at the senders from address but more important where the URLs are leading to.

Social network Hi5 subject to malware campaign

The social network Hi5, a place where you can connect to your fiends, is target of a malware distribution campaign. MX Lab intercepted emails with the subject “Jessica would like to be your friend on hi5!” with an attachment named Invitation that includes the archived file attachment.pdf_[many _spaces]___.exe.

The From address is but this is spoofed. The body of the email looks quite genuine and coming from Hi5. If you receive such a message, namely a request to connect from a so called friend, there is normally no file of 244 kB attached to the email.

The trojan is known as Win32:Rootkit-gen (Avast), W32/Autorun-AQL (Sophos), GData (Backdoor.Bot.103388) or VirTool:Win32/Injector.gen!AH (Microsoft).

the trojan has the threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

There are stealth-mode characteristics common to Rootkits and the option to communicate with SMTP engines to send out emails.

The trojan will create the files %System%\javaa.exe, %System%\jushred.exe and %System%\sdra64.exe on an infected system and the processes jushred.exe and javaa.exe will be running.

The hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll and a hidden folder %System%\lowsec are created.

The system services ERSvc (Error Reporting Service) and wscsvc (Security Center) will be stopped and various registry edits will be performed.

The trojan can connect to remote resources on ports 43, 80, 1033 and 1035 and a connection with will be created.

The built-in SMTP engine will send emails for the distribution of the trojan towards other victims:

Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation

Subject: Shipping update for your order 254-78546325-658742
Attachment: Shipping (334,919 bytes)

Subject: You have received A Hallmark E-Card!
Attachment: (334,919 bytes)

VirusTotal permlink and MD5: 4df3cf28fae7b5b02b2d9f4e03b4dbbd.

Make sure your WordPress installation is up to date

Maybe interesting reading for users who have their own WordPress installation older than version 2.8.4.

“The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable WordPress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It’s also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.”

Read the full story.

Rogua AV goes green with Green Antivirus 2009

MX Lab reported earlier regarding rogue AV software (AntiVir Plus and Anti Virus for Windows) and today we focus on Green Antivirus 2009. This anti virus software is in fact malware and will infect your computer when installed. Result can vary from infected computers with malware, creation of a zombie computer or even worse, it can even go into the direction of ransomware where importent files are encrypted and you need to pay to get them back.

Green Antivirus 2009 is another counterfeiter anti-virus application. The goal of the application is the same as other rogue anti-spyware programs but Green AV also cares about environmental protection. Therefore they will donate $2 from every sold program to an Environmental care program saving the forests in Amazonia. This is  a very slick marketing trick now that everyone is “thinking green” and they also show an $ counter on their web site of the donations.

As with other web sites that we have seen in the past, the web site looks quite profesional from design point of view, promises 100% removal of viruses and protects you against phishing and other threats. With testimonials, SSL secure connection and credit card images they try to gain your trust.

Green AV can be downloaded from sites that host this malware and it might be installed automatically without user’s permission.

After installation, or should we say infection, Green AV performs fake scan and floods system with many obsessive alerts about infections and other security or privacy issues. It will decrease your system’s performance and hijack browsers.

Green AV will not remove all the detected infections on your system, because they are fake, and you will also be forced to buy the full version. Be aware that you will have to pay online with your credit card so these guys are not only taking care of your computer with malicious software but they will also use your card details for other purposes.

The recommendation is to remove Green AV immediatly and clean up your system. There are already many instructions and Green AV removal apps on the web. Google around with the keywords “Green AV + removal”.

New Bredolab variants are spreading by email

MX Lab intercepts more emails with the trojan Bredolab than usual since August, 27th, 2009. We already reported earlier regarding Bredolab but it seems that we now have multiple type of emails with different content trying to get the payload delivered.

DHL Tracking Number 2491VT2O

This email contains the following body:


We failed to deliver your postal package sent on the 23rd of July in time
because the addressee’s address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

Your DHL Delivery Services.

Western Union transfer is available for withdraw

This email contains the following body:

Dear customer.

The amount of money transfer: 3010 USD.
Money is available to withdrawl.

You may find the Money Control Number and receiver’s details in document attached to this email.

Western Union.
Finance Department.

Shipping confirmation for order 44663

This email contains the following body:


Thank you for shopping at our internet shop!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered Apple Mac mini MB464LL.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code.

Bredolab also allows attackers unauthorized access to infected machines and can connect to various hosts to download other malware from for ex hxxp://*****&v=15&rnd=***.