Email regarding planned outage of mail server with the instructions to save and backup attached file contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”.

This email is send from the spoofed address “mail server update” and has the following body:

Dear user!

This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
Our MailServer is currently experiencing some problems. It should be working again as usual shortly.

If you want to keep previous saved emails
please download and save your backup from the attached file.

Please do not reply to this message.

This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message:

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml.

The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S.

At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c

The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.

The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:

  • hxxp://62.76.45.242/our/1.exe
  • hxxp://62.76.42.218/our/1.exe
  • hxxp://62.76.45.242/our/2.exe
  • hxxp://62.76.42.218/our/2.exe
  • hxxp://networksecurityx.hopto.org

The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error.

This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0.

At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407.