Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR/Pakes.nrv
• Kaspersky: Trojan.Win32.Pakes.nrv
• McAfee: Generic Downloader.z
• Microsoft: TrojanDownloader:Win32/Cutwail.gen!C
• Trend Micro: TROJ_CUTWAIL.HG

Further Reading:

Alert! Conficker detected! ...or is it?

Removal Instructions:

Please follow these instructions for removing malware.

About:

Mal/FakeAV-AX is a family of fake security software Trojans. Spam campaigns distribute the most relevant members of this scareware family. The malware spreads as an attachment to fake invoice spam messages.

Subject: "Thank you for setting the order No.475456"
Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

One version of Mal/FakeAV-AX was spammed out as a fake Conficker cleanup tool.

When initially installing, the malware copies itself to these locations:

%PROFILE%\reader_s.exe
%WINDOWS%\system32\reader_s.exe

After the initial install, the sample runs itself from %WINDOWS%\system32\reader_s.exe, which sets registry keys to ensure that the malware restarts whenever the computer reboots:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s

When run from %WINDOWS%\system32\reader_s.exe, the malware starts an additional 'svchost.exe' process and injects code into that process to contact several fixed IP addresses over HTTP port 80.

In addition to the detection provided for Mal/FakeAV-AX, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/FakeAV-AX, using rule HIPS/FileMod-001.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR/Spy.ZBot.12390.1
• Kaspersky: Trojan-Spy.Win32.Zbot.gen
• McAfee: PWS-Zbot.gen.v
• Microsoft: PWS:Win32/Zbot.gen!R

Further Reading:

Email from Vodafone or Verizon about an over limit credit balance? Beware!

Removal Instructions:

Please follow these instructions for removing malware.

About:

Troj/PDFJs-EF is a Trojan for the Windows platform that manifests itself as a compromised PDF document. This PDF Mal/EncPk-LE uses socially engineered emails to lure users of Vodaphone or Verizon Wireless mobile phones. The emails claim that the attached malware is a balance-checker tool that verifies the remaining credit on their phones and reviews payments.

When installed, Mal/EncPk-LE copies itself to <System32>\sdra64.exe.

The malware also create the following files, which are not malicious:

%WINDOWS%\system32\lowsec\local.ds
%WINDOWS%\system32\lowsec\user.ds
%WINDOWS%\system32\lowsec

Mal/EncPk-LE also adds its own filename to the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe

In addition to the detection provided for Mal/FakeAV-AX, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/FakeAV-AX, using rules HIPS/FileMod-001 and HIPS/FileMod-004.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR.Drop.Agent.56320
• Kaspersky: Backdoor.Win32.Small.ioa
• McAfee: Generic Downloader.x!brz
• Microsoft: TrojanDownloader:Win32/Cutwail.gen!C
• Symantec: Backdoor.Trojan
• Trend Micro: TROJ_AGENT.AXFF

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-LQA is an email-based malware that claims to be from the DHL delivery service. Text from the emails often read as follows:

Dear customer !
The courier company was not able to deliver your parcel by your address.
You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for your attention.
DHL Express Services

The malware is attached to the email in a zip file with a variable name. The filename corresponds to a fake tracking number mentioned in the email subject line. For example, an email with the subject of "DHL Tracking Number 3YMH6JJY" would have an attached file named 3YMH6JJY.zip, which would contain a malware file named 3YMH6JJY.exe.

When run, the malware installs itself to:

<System>\reader_s.exe
<User>\reader_s.exe

It also creates registry entries to ensure that it remains active even after a reboot:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reader_s
<System>\reader_s.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reader_s
<User>\reader_s.exe

In addition to the detection provided for Troj/Agent-LQA, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Troj/Agent-LQA, using rules HIPS/FileMod-001, HIPS/ProcMod-002 and HIPS/RegMod-002.