About:
Troj/Agent-MEX is a variant of the Bredo family of malware. The Trojan spreads a spam email attachment. It is a continuance of a campaign we have seen for several years purporting to be a shipping notification or wire transfer that asks you to open a malicious manifest. The attachment is usually as a zip file containing only one executable and named:
DHL_Details_Nr455.exe
Western_Union_details_Nr1456.exe
Sample message body:
Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you.
DHL International Service.
If the program is run it will install itself, copying itself to
%STARTMENU%\Programs\Startup\rarype32.exe
and creating a data file in
%PROFILE%\Application Data\avdrn.dat
Once installed Troj/Agent-MEX will attempt to contact a website hosted at dollardream.ru.
This is known to be related to the FakeAV malware family and might download further samples which encourage downloading rogue anti-virus products.
In addition to the detection provided for Troj/Agent-MEX, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Troj/Agent-MEX, using rule HIPS/FileMod-001.
Mail gateway filtering solutions should be configured to blog executable files from delivery, including inside of archives. Additionally, proactive protections should be enabled in endpoint anti-virus products to prevent this and future variants from circumventing detection.