Threat Spotlight

For the week of 14 Mar 2011
Threat 1

Fake FedEx notification spams malware

Threat Name:

Troj/Bredo-FN

Users at Risk:

Windows users

Also Known As:

  • AVP Trojan-Downloader.Win32.Injecter.fnx
  • F-Prot W32/Trojan3.CLN
  • Microsoft Backdoor:Win32/Hostil.F
  • Symantec Backdoor.Cycbot

Further Reading:

http://nakedsecurity.sophos.com/2011/03/16/fedex-notification-malware-attack-spammed-out/

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

We're seeing yet another member of the Bredo family spammed out as a FedEx notification. This Trojan, Troj/Bredo-FN, is spammed out in emails with subject line "Fedex Notification [random number]" and is attached in the email as document.zip. When installed Troj/Bredo-FN also tries to download Mal/FakeAV-IS.

When the user clicks on the attachment, the file "Document.exe", also detected as Troj/Bredo-FN, executes. The Trojan then tries to download the following files:

pod.exe, detected as Mal/FakeAV-IS
lol2.exe, file unavailable at the time of writing

Once installed, this Trojan creates registry entries under:

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Troj/Bredo-FN attempts to contact the following remote sites:

zonetf DOT com
japanesegreenteaonline DOT com
onlinedatingsecretfriends DOT com
freecdvideo DOT com
onemouseklick DOT com
nationsautoelectric DOT com

This Trojan has a custom packer to help it delay and evade antivirus detections.

In addition to the detection provided for Troj/Bredo-FN, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Troj/Bredo-FN using various rules, including HIPS/ProcMod-004 and HPsus/BadGuy-A.

Threat 2

Polymorphic file infector can steal credentials

Threat Name:

W32/Expiro-H

Users at Risk:

Windows users

Also Known As:

  • Microsoft Virus:Win32/Expiro.gen!E
  • Symantec W32.Xpiro.D
  • Trend Micro PE_EXPIRO.JCM

Removal Instructions:

Please follow the instructions for removing worms.

About:

W32/Expiro-H is a file infector for the Windows platform. Expiro is a family of polymorphic file infectors, meaning that the viral code inserted into each infected file is unique, while still maintaining the same malicious functionality.

The viral payload can inject malicious code into web pages visited as well as steal login credentials.

As W32/Expiro-H is a file infector, any filename is fair game. Additionally, the W32/Expiro-H infection routine has additional code to handle files protected by System File Checker (SFC).

The W32/Expiro-H code also appears to use files named as below in the APPDATA directory as small data files—in other words, they are not DLLs, though they have a .dll extension—where the [0-9] represent a single digit between 0 and 9:

'kf[0-9][0-9]z32.dll'
'dfl[0-9][0-9]z32.dll'
'wsr[0-9][0-9]zt32.dll'

Notably, W32/Expiro-H does not create any registry keys. Instead, to achieve persistance, the infection routine ensures that it initially infects at least one executable file that already has a pre-existing RunKey associated.

If W32/Expiro-H attempts to infect Sophos Anti-Virus core files, this will trigger the rule HIPS/FileWriteMod-003.

Threat 3

Trojan downloads more files to Temp folder

Threat Name:

Troj/FakeAV-CYW

Users at Risk:

Windows users

Also Known As:

  • AVP Trojan.Win32.Sasfis.bfqi
  • Microsoft Backdoor:Win32/Hostil.F

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

When run, this Trojan will trigger the Sophos detection rule HIPS/ProcMod-004 and attempt to download files from the following targets:

http://91.217.162.24/pod.exe
http://91.217.162.24/spm.exe
http://91.217.162.24/lol2.exe

The downloaded files will be saved in the <Temp> folder with the following filenames:

<Temp>\pod.exe
<Temp>\spm.exe
<Temp>\lol2.exe

The files downloaded are not available at this time.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information