New trojan variant in “Thank you for buying iTunes Gift Certificate!” email


MX Lab started to intercept a new campaign with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan.Sasfis (Symantec) or Mal/EncPk-NS (Sophos).

It is clear that with this campaign, the virus authors are using a subtle way to lure potential victims. Getting a $50 iTunes Gift Certificate is more tempting than anything else.

This distribution is sent from the spoofed email address iTunes Products <customer.service@itunes.com>.

The body of the email:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains the file ZIP archive Gift_Certificate_531.zip containing the 36 kB large executable Gift_Certificate_531.exe.

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\4.tmp
%Temp%\_check32.bat
%Windir%\Moxmact1.dll
%Windir%\s32.txt
%System%\aspimgr.exe
%Windir%\ws386.ini

A new process will be created on the system:

%System%\aspimgr.exe

The following modules will be loaded into the address space of other process(es):

%Windir%\Moxmact1.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E80000 – 0x1E91000

%Windir%\Moxmact1.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 – 0x10011000

New registry key creations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum

The following registry keys are modified:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    • Shell =
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
    • (Default) =
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
    • (Default) =

The trojan can establish a remote connection with the following hosts on port 80:

128.175.82.88
195.78.108.203
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&b=26may&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=555611691&tid=11&b=26may&r=1&tm=2
* hxxp://porsche911start.ru:80/board.php
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/v106.exe
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

At the time of writing, 16 of the 41 AV engines did detect the trojan. Virus Total permlink and MD5: 75809a70e8773d51c5b20dd0f7b8163e.

7 thoughts on “New trojan variant in “Thank you for buying iTunes Gift Certificate!” email

  1. Thanks for your advice here. However, they are trying to keep ahead of the game.
    They are changing the email to try and confuse people!
    Attachment now named : Gift_Cerificate_641.zip
    Email address now just : certificate@itunes.com
    Message headers : from IP 111.193.148.254 – which is somewhere near Beijing in China
    Return email address : tackinessad81@conceive.com

  2. I got one from store@itunes.com, the attachment is named Gift_Certificate_831.zip. I almost opened it thinking someone had hacked into my itunes account and purchased a gift card. Glad I checked first. What caught my attention was the email address used to send it to me was not my actual email address.

    • “What caught my attention was the email address used to send it to me was not my actual email address.”

      In most cases, the email addresses are the same in the SMTP session level and headers of the email. This applies when I send an email to you for example.

      But there can be a difference in the sender/recipient email addresses on the SMTP session level and the sender/recipient email addresses in the headers of the email.

      For example, a sender can connect to a mail server and say I have a mail from joe@domain.com but the email headers – which are send in the data stream – contains for example the mail from john@domain.com.

      In such a case, you will see the john@domain.com in your email client but on the mail server level the email address joe@domain.com was used for sending the email.

      You can notice this often when you receive an email that is send to ‘Undisclosed-Recipients’. You will not see your own email address as the recipients address.

  3. I received this email a few days before graduation. I went to the itunes website because I wasn’t familiar with them emailing gift cards. I deleted the email. I just received another email. I tried to erase it and instead it opened it. I am trying to fix it, my computer is still working but I don’t want my passwords and credit card info stolen. When I try to delete the zip file it says that the file no longer exists and tells me to try again! What do I do now. it is the iTunes_certificate_147.zip

  4. Your website is really cool and this is a great inspiring article. Thank you so much.

  5. Now the Spammers are really upsetting me. I try to be careful, we pay for a spam filter, and still some gets by our internal firewalls. The e-mails before were easy to spot because there were 7-12 with the same subject line; but now they are using recognizable domain names like itunes.com.

    What a problem. Who do you trust? Answering emails just got harder again.

Comments are closed.