New Bredolab trojan variants in DHL and UPS tracking emails


MX Lab intercepted several email messages with new Bredolab trojan variants in the traditional style: emails regarding the tracking of a parcel. We noticed new campaigns using the DHL and UPS tracking style. We will cover them both in this article at the same time.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** <services@ups.com> (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** <services@dhl.com> (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

11 thoughts on “New Bredolab trojan variants in DHL and UPS tracking emails

  1. i have received an e-mail this morning from dhl regarding this…tried to open it but it wouldnt let me…hope ive not done aything to my computer. the emial address they used for me wasnt mine but it managed to reach my computer. dont know how to get rid of this. anyone help please

  2. I got same mail today. Even I wonder how did that mail land in my mailbox, when the ID given is not mine.

    Any ways my Microsoft Security Essentials caught it even before I could open that attachment.

  3. I got the same mail 2 days ago (19 jan 2010).

    My antivirus didn’t said anything but WinZIp popped up an alert saying that the file was not an archive or that it was corrupted and you should download it again (yeah sure!!) , so i haven’t even seen the .exe file INSIDE the .zip file.

    Even though i’d like to know if there’s a version of this email/virus in wich you don’t even need to run the .exe compressed into the .zip file but through some sort of exploit get folled by the “couldn’t open file” by WinZIp and still be infected.

    Sophos antivirus detected the virus inside the .zip file but after deleting it it didn’t found it anywhere else.

    Anyone has info about this?

    thanks, wok3

  4. 23 january 2010- I got that same email saying it was from DHL posting services. Norton Antivirus detected it in my Yahoo mail . It seems to bee very recent; i didn,t found a lot on internet about it at this time… Thanks for this post, with all these informations!!!

  5. I received 3 of these emails, 1 was the DHL and the other two the UPS I also wonder how one of them ended up in my email as i was not the recipient. Luckily Norton anti virus picked it up before it had a chance to do any damage! PHEW!!

  6. Looks like I’ve just received a variant:
    its attachment is “UPS-invoice-2756.zip”
    it was sent in a spam mail from a server with IP 123.235.226.7 which is registered for “China Unicom Shandong Province Network”

Comments are closed.