New trojan variant in mails with “Look my CV. Thank you!”


MX Lab intercepts a new trojan variant in emails with the subject “Look my CV. Thank you! MyID NR4557547.”.

Possible subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

The number at the end of the subject is choosen randomly and the from email address is spoofed.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.

The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).

The following files are created:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

The following modules are loaded into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1940000 – 0x1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 – 0x10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the following IPs on port 80:

195.78.109.6
212.78.71.81
95.211.98.246

Data is downloaded from the following hosts:

  • hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
  • hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
  • hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.

The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot),  Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

The following files are created:

%Windir%\dsmd32.dll

The following modules are loaded into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 – 0x10012000

Several Windows registry modifications are created and the trojan attempts to establish a connection with the IP 95.211.98.246 on port 80.

13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.

10 thoughts on “New trojan variant in mails with “Look my CV. Thank you!”

  1. I had this show up from a drive-by download on an innocuous website, not from an email.

      • Being a bit commercial now but you can use MX Lab – for more information http://www.mxlab.eu/ – with the zero hour anti virus technology.

        Get a good anti virus software package with very fast new virus detection rates and also important virus definitions updates. If your current anti virus software does not intercept the trojan then you could try an anti virus product from a different vendor. But unfourtunatly, in some cases, it won’t help as we often notice when sending virus samples to Virus Total.

        You can of course filter on subject, spoofed address or the names of the attachments. Very simple and very effective until a new email format comes out with different subjects or attachment names.

        More important, it will not cost you anything, if you receive a suspicious looking email with attachments, wether it’s a zip file, html file or anything else, do not open it. It’s that simple to avoid virus infections.

Comments are closed.