Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/ZipCard-E is a zip file that contains malicious content. It first surfaced in October 2009. Troj/ZipCard-E typically arrives as spam and contains “You Have Received a Greeting Card” or “You've received a postcard” in the subject line.

The message often reads as follows:

Good day.

Your family member has sent you an e-card from 123greetings.com.

Send free e-cards from 123greetings.com with your choice of colors, words and music.

Your e-card will be available with us for the next 30 days.

If you wish to keep the e-card longer, you may save it on your computer or take a print.

To view your e-card, open zip attached file.

The contents of Troj/ZipCard-E has changed several times since it first discovered. SophosLabs has detected Troj/ZipCard-E as Mal/FakeVirPk-A, Mal/EncPk-KW, Mal/EncPk-KP or Mal/FakeAV-BX.

Most recently, Troj/ZipCard-E has been used to distribute fake anti-virus related malware.

Sophos reminds users that, like all online greetings companies, 123greetings.com never sends an attachment to receive an e-card. In addition to gateway email protection, users should be suspect of all attachments from banks, greeting card companies, or package delivery companies. Always type the URL of the company you wish to visit directly into your browser and never open attachments or click links in email.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: TR/Spy.ZBot.adhq
• Kaspersky: Trojan-Spy.Win32.Zbot.adhq
• Ikarus: Trojan-PWS.Win32.Papras
• Microsoft: PWS:Win32/Zbot.YD
• Trend Micro: TROJ_ZBOT.BPN

Further Reading:

• Graham Cluley's Blog: Bill Cosby has NOT died, but rumors fuel hacker scareware attack
• SophosLabs Blog: Fake AV c/o PDF and Java exploits

Removal Instructions:

• Please send us a sample to assist in improving our technology
• Use the instructions for removing generically detected files to delete the file from your computer
• If problems persist, contact Sophos support for assistance with removal

About:

Mal/FakeAV-BW is fake AV malware that has been distributed through several different methods since it first emerged. It has appeared through SEO poisoning and Sun Java and Acrobat Reader vulnerabilities.

It includes functionality to:

• run automatically
• copy itself to the <System> folder
• create files in the <System> folder
• access the internet and communicate with a remote server via HTTP

It communicates via HTTP with the following locations:

natointros.net
antiviraprof2010.com

When installed, the following files are created:

%SYSTEM%\lowsec\local.ds
%SYSTEM%\lowsec\user.ds
%SYSTEM%\lowsec\user.ds.lll
%SYSTEM%\sdra64.exe
%SYSTEM%\lowsec

Files modified:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files
System file attribute: unset
Hidden file attribute: unset

C:\Documents and Settings\LocalService\Local Settings\History
System file attribute: unset
Hidden file attribute: unset

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Userinit
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
ActiveDesktop
NoChangingWallpaper

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Explorer
NoSetActiveDesktop

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Explorer
NoActiveDesktopChanges

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
smss32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Explorer
NoSetActiveDesktop

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Explorer
NoActiveDesktopChanges

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
ActiveDesktop
NoChangingWallpaper

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
System
DisableTaskMgr

HKEY
USERS\.DEFAULT\Software\Microsoft\ProtectedStorageSystemProvider\S-1-5-18
HKEY
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

HKEY
USERS\S-1-5-18\Software\Microsoft\ProtectedStorageSystemProvider\S-1-5-18
HKEY
USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

Registry entries changed under:

HKEY
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
HKEY
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections

Just as the attackers have expanded their reach by using multiple techniques to lure victims in, there are multiple ways to stop this malware before it reaches your workstations. Sophos protects against this at the web gateway, proactive anti-virus protection and traditional anti-virus. Up-to-date versions of Sun Java and Adobe Reader are not exploitable through this attack.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Exploit.JS.Pfdka.bpa
• McAfee: Expliot-PDF.q.gen!stream

Further Reading:

• Fake AV c/o PDF and Java exploits

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Cybercriminals are using PDF files to exploit unpatched versions of Adobe Reader. Troj/PDFJs-GA is one of these malicious pdfs. It is usually delivered from malicious websites and contains code to exploit multiple vulnerabilities, including

• collectEmailInfo: CVE-2007-5659
• util.printf: CVE-2008-2992
• getIcon: CVE-2009-0927
• util.printd: CVE-2009-4324

Troj/PDFJs-GA will attempt to download and install various malware:

• JS/PDFLd-D
• Troj/Java-B
• Mal/EncPk-NI
• Mal/FakeAvHm-A
• Mal/FakeAV-BW

In addition to the standard detection provided for Troj/PDFJs-GA, the proactive HIPS technology in Sophos Endpoint Security can prevent the action of this malware and the additional malware it attempts to install.

Users who don’t require JavaScript functionality should consider disabling it permanently. Most attacks against Adobe’s ubiquitous Reader software exploit flaws in its JavaScript functions. The majority of PDF files do not use this functionality. See Alarm raised over Adobe PDF zero-day vulnerability for details.