Email with new price list contains an URL that downloads a trojan


MX Lab, http://www.mxlab.eu, has intercepted a sample of a new trojan that is downloaded through email.

The email is send from the spoofed address, comes with the subject “Bericht” and has the following body:

Gedwongen wijzigt u de hoogte van de tarieven voor diensten van onze firma,
veroorzaakt door de algemene economische situatie en de daling van de euro *.
Gelieve deze te behandelen met begrip en blijven om met ons samen te werken in hetzelfde volume.
Prijs met nieuwe prijzen kunt u hier downloaden:
hxxp://www.miteaspa.it/downloads/Document.zip

* In overeenstemming met paragraaf 6.7.2 van het contract, ons bedrijf heeft het recht om te veranderen
vergoedingen voor diensten eenzijdig, gevolgd door kennisgeving aan de klant.

The email is poorly written in Dutch and includes an URL to download a ZIP file and once extracted shows the 46 Kb large file Document.Doc____**more underscores**___.exe.

The trojan is known as W32/Yakes.B!tr (Fortinet), Generic FakeAlert.fz (McAfee), Worm:Win32/Gamarue.B (Microsoft) or as a variant of Win32/Kryptik.VYH (NOD32).

The following files will be created:

%AllUsersProfile%\Local Settings\Temp\5fbdfffe0001a042.exe

The following directories are created:

  • %AllUsersProfile%\Local Settings
  • %AllUsersProfile%\Local Settings\Temp

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 60.19.30.135 on port 80.

Data can be obtained from following URL: hxxp://heppishopdrm.ru/ice1/image.php

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 172e583905950da35a194fadf728ac6a.

2 thoughts on “Email with new price list contains an URL that downloads a trojan

Comments are closed.