Attached AutoCleanTool.rar to cleanup your mailbox is malware


MX Lab, http://www.mxlab.eu, started  intercepted some samples of email from the “Webmail Center” with the attached tool AutoCleanTool.exe, archived in an .rar file, with the instructions to cleap up your full mailbox.

The email is send from the spoofed address “Postmaster <random email address>” and has the following body:

Dear joshua,

You have exceeded your email limit quota.
Failure to recover your quota may result in loss of important Information.
You need to delete any SPAMs manually or simply employ the cleaning tools automatically.

Thank you for using our email.
Copyright 2012 Webmail Center.

The attached ZIP file has the name AutoCleanTool.rar and contains the 207 kB large file AutoCleanTool.exe.

The trojan is known as Win32:Malware-gen, Backdoor.Win32.Dervec!IK, Trojan.Siggen3.63251, Trojan.Dropper.UGM, HEUR:Trojan.Win32.Generic, BackDoor-FFI.

When executed, you will get a popup window:

The following files will be created:

%CommonAppData%\Microsoft\Crypto\RSA\S-1-5-18\f01ed97c0d150aa27db5c746bca1d7a9_a7bcc1a4-f7a4-4502-8650-8579e607f7f7
c:\ProgramData\Microsoft\Windows\NetCC305.dll
c:\ProgramData\Microsoft\Windows\QQlive.exe

The following directories are created:

c:\ProgramData
c:\ProgramData\Microsoft
c:\ProgramData\Microsoft\Windows
c:\ProgramData\Microsoft\Windows\Common

New processes are created on the system:

QQlive.exe

Status of following services is changed to ‘Stopped’:

SystemLog0n
W32Log
WNetSysapp
WinSvc
WinServices
NetServices
W32Update

Several Windows registry changes will be exectued.

Data can be obtained from following URLs:

• hxxp://hi.baidu.com/gqpgemcuwd/rss
• hxxp://hi.baidu.com/iwaxsxg/rss
• hxxp://hi.baidu.com/ocoijxnwkg/rss
• hxxp://hi.baidu.com/bwhrpbe/rss
• hxxp://hi.baidu.com/heiwqiu/rss
• hxxp://hi.baidu.com/gqpgemcuwd/blog
• hxxp://hi.baidu.com/iwaxsxg/blog
• hxxp://hi.baidu.com/ocoijxnwkg/blog
• hxxp://hi.baidu.com/bwhrpbe/blog
• hxxp://hi.baidu.com/heiwqiu/blog
• hxxp://www.zuosa.com/rss/user/gqpgemcuwd
• hxxp://www.zuosa.com/rss/user/iwaxsxg
• hxxp://www.zuosa.com/rss/user/ocoijxnwkg
• hxxp://www.zuosa.com/rss/user/bwhrpbe
• hxxp://www.zuosa.com/rss/user/heiwqiu
• hxxp://t.people.com.cn/gqpgemcuwd
• hxxp://t.people.com.cn/iwaxsxg
• hxxp://t.people.com.cn/ocoijxnwkg
• hxxp://t.people.com.cn/bwhrpbe
• hxxp://t.people.com.cn/heiwqiu
• hxxp://tongxue.com/gqpgemcuwd
• hxxp://tongxue.com/iwaxsxg
• hxxp://tongxue.com/ocoijxnwkg
• hxxp://tongxue.com/bwhrpbe
• hxxp://tongxue.com/heiwqiu
• hxxp://v.alibado.com/gqpgemcuwd
• hxxp://v.alibado.com/iwaxsxg
• hxxp://v.alibado.com/ocoijxnwkg
• hxxp://v.alibado.com/bwhrpbe
• hxxp://v.alibado.com/heiwqiu
• hxxp://gqpgemcuwd.tuita.com
• hxxp://iwaxsxg.tuita.com
• hxxp://ocoijxnwkg.tuita.com
• hxxp://bwhrpbe.tuita.com
• hxxp://heiwqiu.tuita.com
• hxxp://hi.baidu.com/ifakcyahpqh/rss
• hxxp://hi.baidu.com/fxqpzokynx/rss
• hxxp://hi.baidu.com/ybvjw135/rss
• hxxp://hi.baidu.com/jkmxyarruym/rss
• hxxp://hi.baidu.com/nfuzoqbdzzr/rss
• hxxp://hi.baidu.com/ifakcyahpqh/blog
• hxxp://hi.baidu.com/fxqpzokynx/blog
• hxxp://hi.baidu.com/ybvjw135/blog
• hxxp://hi.baidu.com/jkmxyarruym/blog
• hxxp://hi.baidu.com/nfuzoqbdzzr/blog
• hxxp://www.zuosa.com/rss/user/ifakcyahpqh
• hxxp://www.zuosa.com/rss/user/fxqpzokynx
• hxxp://www.zuosa.com/rss/user/ybvjw135
• hxxp://www.zuosa.com/rss/user/jkmxyarruym
• hxxp://www.zuosa.com/rss/user/nfuzoqbdzzr
• hxxp://t.people.com.cn/ifakcyahpqh
• hxxp://t.people.com.cn/fxqpzokynx
• hxxp://t.people.com.cn/ybvjw135
• hxxp://t.people.com.cn/jkmxyarruym
• hxxp://t.people.com.cn/nfuzoqbdzzr
• hxxp://tongxue.com/ifakcyahpqh
• hxxp://tongxue.com/fxqpzokynx
• hxxp://tongxue.com/ybvjw135
• hxxp://tongxue.com/jkmxyarruym
• hxxp://tongxue.com/nfuzoqbdzzr
• hxxp://v.alibado.com/ifakcyahpqh
• hxxp://v.alibado.com/fxqpzokynx
• hxxp://v.alibado.com/ybvjw135
• hxxp://v.alibado.com/jkmxyarruym
• hxxp://v.alibado.com/nfuzoqbdzzr
• hxxp://ifakcyahpqh.tuita.com
• hxxp://fxqpzokynx.tuita.com
• hxxp://ybvjw135.tuita.com
• hxxp://jkmxyarruym.tuita.com
• hxxp://nfuzoqbdzzr.tuita.com

At the time of writing, 22 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 24b097753d55a1d3c7b039daf950db59b769ac616ba1752949b78925bba75bb5.