Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Packed.Win32.Tadym.d
• McAfee: Bredolab!a trojan
• Microsoft: Win32/Bredolab.AA
• Trend Micro: TROJ_AGENTT.ERQP

Further Reading:

• Graham Cluley's Blog: Malicious bogus DHL Fedex emails bombard inboxes
• Graham Cluley's Blog: Facebook password reset confirmation emails carry malware

Removal Instructions:

Please follow the instructions for removing trojans.

About:

Troj/Agent-LVN is part of the Bredo family of spamming bot Trojans, specifically part of the Mal/Bredo-B family. These bots are typically delivered through social engineering spam campaigns, though there is no specific campaign for Troj/Agent-LVN.

When first run, Troj/Agent-LVN copies itself to a file in the %TEMP% folder and to <Start Menu\Programs>\Startup\siszyd32.exe, which lets the malware to run automatically on startup.

Innocuous registry entries may be created under HKLM\SOFTWARE\Microsoft\Tracing\IpxAdptif as a result of the malware loading the <SYSTEM>\adptif.dll library. This library is the 'IPX Interface via WinSock,' meaning this bot is aware of Netware networking.

Troj/Agent-LVN calls home to forhomessale.ru via an HTTP GET request for /new/controller.php?action=bot& — with further string arguments for: entity_list, rnd, uid, guid to identify the new infection.

It also creates the data file <User>\Application Data\avdrn.dat.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/Agent-LVN. The installation of this malware triggers the HIPS rule HIPS/FileMod-001.

Threat Name:

Also Known As:

• Kaspersky: Trojan.Win32.Swisyn.bvo
• McAfee: Generic.dx!hvb
• Trend Micro: PAK_Generic.001

Further Reading:

• SophosLabs Blog: Naked elves distract nerds

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/Lneage-A is a Trojan for the Windows platform. While installing itself the Trojan distracts the user with pictures of semi-naked cartoon elves. Troj/Lneage-A includes functionality to run automatically.

When Troj/Lneage-A is installed it creates the files:

• <Common Files>\Services\FS.exe
• <Common Files>\Services\SB.exe
• <Common Files>\Services\svchost.exe

The following registry entry is created to run Troj/Lneage-A on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host Process for Win32 Services
<Common Files>\Services\svchost.exe"

This is a multi-component threat. The top-level file contains 3 embedded PE files which are the ones dropped in the <Common Files>\Services folder.

Lineage is a family of typically game password-stealing Trojans. In the above case <Common Files>\Services\svchost.exe appears to invoke the other two files but also searches for a window with name "lineage ii."

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/Lneage-A. The component of this malware in the file svchost.exe triggers the HIPS rule HIPS/RegMod-014.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Trojan.Win32.FraudPack.afbc
• Microsoft: VirTool:Win32/VBInject.gen!BY

Further Reading:

• SophosLabs Blog: Christmas Bo(g)us

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/VBInject-S is a Trojan for the Windows platform that is being spread in the form of a fake Christmas e-card with the message:

You have recieved a Hallmark E-Card from your friend.
To see it, check the link below:
http://www.hallmark.com/webapp/wcs/stores/Occasion/ChristmasE-Cards
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon, Your friends at Hallmark

When Troj/VBInject-S is installed the following files are created:

<System>\lowsec\local.ds
<System>\lowsec\user.ds
<System>\sdra64.exe (also detected as Troj/VBInject-S)

The trojan sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Winlogon
Userinit

This enables the Trojan to run automatically on startup.

Registry entries are created under HKCU\Software\Microsoft\Visual Basic.