“Thank you for buying iTunes Gift Certificate!” email contains trojan
May 7, 2010 39 Comments
[UPDATE] A new article regarding a new trojan variant has been posted on the MX Lab blog on 26 May 2010: New trojan variant in “Thank you for buying iTunes Gift Certificate!” email. Read article here.
MX Lab started to intercept emails with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).
It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.
This distribution is sent from the spoofed email address iTunes Products <firstname.lastname@example.org>.
The body of the email:
You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.
The email contains the file ZIP archive iTunes_certificate_247.zip containing the 52 kB large executable iTunes_certificate_247.exe.
The following files are created:
The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.
The trojan can establish a remote connection with the IP 220.127.116.11 on port 80 and retrieve data from:
At the time of writing, 15 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 0e50c0085bc6d75226a5c06ac1637df1
MX Lab customers are protected against this email based threat.