Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: Worm/Zimuse.A
• Kaspersky: Worm.Win32.Mseus.a
• McAfee: W32/Zimuse
• Microsoft: Worm:Win32/Zumes.A!sys
• Trend Micro: WORM_ZIMUS.B

Removal Instructions:

Please follow the instructions for removing worms.

About:

One member of the Mseus family is W32/Mseus-A. This family of Windows AutoRun worms can be quite destructive. The goal of W32/Mseus-A seems to be purely to incriminate a particular Slovakian motorcycle club website, which appears to be entirely blameless.

W32/Mseus-A arrives disguised as an IQ test program. If run, this program will display an IQ test while the malware installs.

When run W32/Mseus-A installs the following files:

<System>\drivers\Mstart.sys
<System>\drivers\Mseu.sys
<System>\mseus.exe
<System>\tokset.dll
<System>\ainf.inf
<Program Files>\Dump\Dump.exe

W32/Mseus-A makes a number of registry changes in order to load components whenever Windows starts. These include the following:

HKLM\SYSTEM\CurrentControlSet\Services\MSTART
ImagePath
<System>\Drivers\MSTART.SYS

HKLM\SYSTEM\CurrentControlSet\Services\UnzipService
ImagePath
System32\Mseus.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dump
<Program Files>\Dump\Dump.exe

Variants of W32/Mseus may attempt to spread via network shares or by copying themselves to removable drives.

After several days, W32/Mseus-A erases critical portions of any drive attached to the computer, including removable drives. This includes wiping the Master Boot Record of the system drive so that the computer will no longer start if rebooted. Specialist knowledge or recovery software may be necessary to restore the disks - in some cases they will need to be restored from backups.

When the destructive payload is activated, W32/Mseus-A displays a fake error message blaming a Slovakian motorcycle website.

In addition to the standard detection provided for W32/Mseus-A and variants, the proactive HIPS technology in Sophos Endpoint Security can prevent installation and running of this malware.

HIPS/FileWriteMod-002, HIPS/FileMod-001 and HIPS/FileMod-006 are triggered by this malware attempting to run.

Like most malware circulating in the wild, this malware expects Administrator rights on the workstation. Users running with least privilege are better protected against this type of malware.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: BDS/Bredolab.cbb
• Kaspersky: Backdoor.Win32.Bredolab.cbb
• McAfee: FakeAlert-SpyPro.gen.b
• Microsoft: Trojan:Win32/Oficla.H!dll
• Trend Micro: Troj_CROPRT.VEN

Further Reading:

• SophosLabs Blog: Rogue customer service from rogue antivirus
• SophosLabs Blog: Fake AV - a lesson in aggression
• SophosLabs Blog: How AntiVirus Pro 2010 finds "malware"

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Troj/FakeAV-ASQ is a fake anti-virus Trojan for the Windows platform. The Trojan has the ability to download malicious programs from some remote hosts.

The Trojan disguises itself as a zip archive attached to fake UPS delivery messages, with text as follows:

Hello!
We were not able to deliver your postal package sent on the 1st of December in time because the addressee's address is erroneous. Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

The attached zip file contains malware. When run, Troj/FakeAV-ASQ installs a fake anti-virus program on the user's computer. The fake anti-virus program then automatically pretends to scan the user's computer and displays fake warning messages that there are malicious programs running on the computer. It then prompts the user to remove the malicious programs but then indicates that the user must purchase an activation code for the fake anti-virus software in order to complete the removal.

Troj/FakeAV-ASQ also downloads a malicious program from a Russian remote host and installs it to the following location:

<System>\aqlb.hjo — detected by Sophos as Mal/Oficla-A

To allow the downloaded malware to be executed after user logon, Troj/FakeAV-ASQ updates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
Shell
Explorer.exe rundll32.exe aqlb.hjo

Troj/FakeAV-ASQ also adds adlb.hjo to <Windows>\system.ini.

Not all fake anti-virus programs do anything more than scare the victim, yet this example shows how many can be equipped to grab a payload from remote sites. This ability gives the attacker 2 chances to cash in. If they don't get you to buy the scareware, they may drop further malware onto your computer to make you spam, DoS, or send messages to your social networking friends to further their cause.

About:

View "From" fields

A "Canadian Pharmacy" campaign that is using the From header as the call to action. The subject line, and message body both contain nothing but varying amounts of short, random lower case words, different in nearly every sample. The messages contain no information about what the campaign is selling, besides a short phrase found in the From header.

Why are they employing this technique? To avoid domain based blacklists (ex. SURBL, URIBL), by attempting to hide the 'call-to-action' domain (and solicitation) from some content-based filters.

The domains found in the From header fall into one of two groups:

• 4 letter (two letters, two digits) .com or .net domains registered since August 2009 (mostly August, Dec 09 and Jan 10), through the registrar "CHINA SPRINGBOARD INC".
• 5 letter (two digits, dash, two digits) .cn domains, all registered on May 17th, 2009, through the registrar "EName China".

A unique list of domains sighted and a unique list of the nameservers serving them:

All the domains serve the common Canadian Pharmacy website:

These messages are sent via IPs with 'bot-like' characteristics, from all over the world. The overwhelming majority are sent from European ISPs (Germany, Spain, France, Italy), with a handful from Asia (Korea, China) and South America (Brazil, Argentina). There are some sent from North America, however they are comparatively few.

This specific Canadian Pharmacy campaign was first sighted on Saturday, Jan 23rd. Social engineering has been a dominant factor in many attacks over the last few years. Providing regular educational reminders to your employees can go a long way towards stopping someone from typing URLs they find curious. Oftentimes pharmacy selling sites of dubious reputation will take the same approach as the FakeAV-ASQ malware above and not only take your money for some super Viagra, but plant some malware on your machine on the way through.