Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR/Dldr.Small.coc.1
• Kaspersky: Trojan-Downloader.Win32.Small.coc
• McAfee: Generic Downloader.f
• Microsoft: TrojanDownloader:Win32/Small.BKR

Removal Instructions:

Please use these instructions for removing generically detected files to delete the file from your computer.

About:

Mal/HckPk-D is distributed by email in a zip file named simply "Photo.zip." The email is minimal, with a subject of 'My Best Photo' and a four line message reading:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Inside the attached zip is a file named "Photo.bmp," which is Mal/HckPk-D and a file "View-Photo.bat." When a user clicks on View-Photo.bat, this activates the malware.

Mal/HckPk-D is a downloading Trojan for the Windows platform. Downloading Trojans drop a small downloader application to your PC to retrieve further malware or samples from the internet.

When first run, Mal/HckPk-D either copies itself to lsass.exe in <System>\dll\, or—if the current user does not have permission to write to <System>\dll\—it writes itself to c:\gbvd\.

The following registry entry is created to run lsass.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS-Outlook
<path to installed copy of the Trojan>

The malware repeatedly attempts to download one of several encrypted files with the extension .ICO from 20mbwxx.com. At the time of writing, the domain's hosting has expired and the files are inaccessible. If the file is downloaded and its contents decrypted successfully, the result will be saved to er22y.exe and run.

As this malware does not require administrative privileges, it is a risk to all users. It is not able to download a payload with further instructions at this time, but that could change. Customers with email gateway filtering should be sure to block executable file types, including batch files to prevent emails from arriving in destination mailboxes.

Sophos customers are protected from this threat pro-actively. Specifically, users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Mal/HckPk-D. When this Trojan attempts to install itself, it triggers the HIPS rules HIPS/FileMod-001 and HIPS/RegMod-002.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: DR/Mirc.113882
• Microsoft: Backdoor:IRC/Zapchast.AZ
• Symantec: IRC Trojan

Further Reading:

• SophosLabs Blog: Early ecard Christmas malware cheers

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/Zapchas-EO is linked to by spam pretending to be a Christmas e-card from Hallmark:

The message links to copy of Troj/Zapchas-EO in a file named ChristamsCard.jpg.exe [sic], hosted on a server in Austria.

When Troj/Zapchas-EO is run, it drops the following files to the folder C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500:

a.reg - detected as Troj/Zapchas-EH
a_friend.exe - detected as Mal/Generic-A
aliases.ini - clean text file
control.ini - clean text file
csrss.exe - detected as Troj/Mirchack-A
Desktop.ini - clean text file
fullname.txt - clean text file
instsrv.exe - clean tool to install or uninstall services
mirc.ico - clean icon file
mirc.ini - detected as Mal/Zapchas-C
popups.txt - clean text file
remote.ini - clean text file
script.ini - clean text file
servers.ini - clean text file
sup.exe - detected as Troj/Agent-FWS
svchost.exe - clean tool to run applications as a service
users.ini - clean text file

Troj/Zapchas-EO then runs the dropped file sup.exe, which performs the following actions:

• Runs a_friend.exe
• Stops the Windows firewall by stopping the service "Windows Firewall/Internet Connection Sharing (ICS)"
• Uses instsrv.exe to install and then start the dropped svchost.exe as a service with a service name of "svchost"
• Uses regedit to install the contents of a.reg to the registry

A_friend.exe is a Flash-based application that displays two images. A.reg contains data to make the svchost service also run csrss.exe.

Csrss.exe is a hacked copy of the mIRC32 chat software client. By using the ini files dropped by Troj/Zapchas-EO, it connects to the Undernet IRC network with a user ID/nick of "Qd0pAb4xTi3a," an alternative nickname "Gg8lNv5rCk7lW," a username "Kj6cQa9hFw3tR" and an email of "Politia."

It is always best practice to block executable attachments at the email gateway using a technology that can detect the true file type. In this case, the file is in fact designated .exe, but much malware is not. Additionally this malware uses the old double extension trick, so ensure Windows workstations running Windows 7 or earlier versions of Windows display the extension type to end-users. If you don't use IRC in your environment, configure your client and gateway firewalls to block its most common ports. IRC is TCP port 6667, and mIRC typically uses 6660-6669.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR/RDss.auss
• Kaspersky: Trojan.Win32.Tdss.auss
• Microsoft: Trojan:Win32/Alureon.CT
• Symantec: Trojan.Zlob
• Trend Micro: TROJ_MALWARE.VTG

Further Reading:

• SophosLabs Blog: Flash, Large Hadron Collider and Malware

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/TDSS-BP is a member of the TDSS family of Trojans. Recently SophosLabs have seen this Trojan linked to spam messages about the Large Hadron Collider (LHC). Users following the links seen in spam will find a site claiming to host a video of the LHC in action. However, the site claims that a Flash update is required to view the video, but that "upgrade" instead delivers Troj/TDSS-BP.

Troj/TDSS-BP is a Trojan for the Windows platform that includes functionality to copy itself to the <System> folder.

The Trojan contains functionality to access the Internet and communicate with a remote server d45648xxx.cn. The Trojan may then download further executable files and run them.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/TDSS-BP. When this Trojan attempts to install itself, it triggers the HIPS rule HIPS/FileMod-001.