Threat Spotlight

For the week of 22 Apr 2011
Threat 1

Malware hides in the Recycle Bin

Threat Name:

Mal/Palevo-A

Users at Risk:

Windows users

Also Known As:

  • AVP P2P-Worm.Win32.Palevo.bfem
  • McAfee W32/Rimecud.gen.e
  • Microsoft Win32/Rimecud.A
  • NOD32 Win32/Skintrim.BQ

Removal Instructions:

Please follow these instructions for removing generically detected files from your computer.

About:

This malware is part of the Palevo family of autorun worms, originally posted on our Threat Spotlight in December 2010. Many samples of this malware use random file names, such as:

rljlz.exe
nsvb.exe
rmhzb.exe

Some attempt to use a filename to appear as a system utility. For example:

ctfmon.exe
csrss.exe
gtk.exe
syscr.exe

Others use odd words or nouns, such as:

solos.exe
nissan.exe
buster.exe
stroking.exe
prezidente.exe

The files are typically installed to either the %DOCUMENTS%\Application Data\ or %RECYCLE BIN%\ folders.

Notably, when installed in the user's Recycle Bin as a regular file, (i.e. without the special naming convention described in Microsoft's http://support.microsoft.com/kb/136517/EN-US/), the file is hidden from view when looking at the Recycle Bin from within Windows Explorer.exe.

Palevo worms tend to set the following run key, which points to the file in the Application Data or Recycle Bin folder (as discussed above):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

In addition to the detection provided for Mal/Palevo-A, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/Palevo-A using various rules, including HIPS/ProcInj-001.

Threat 2

Spoofed courier message hides Bredo malware

Threat Name:

Troj/Agent-RCO

Users at Risk:

Windows users

Also Known As:

  • Avira TR/Dldr.Chepvil.A
  • AVP Packed.Win32.Katusha.n
  • Microsoft TrojanDownloader:Win32/Chepvil.J
  • Symantec Trojan.FakeAV
  • Trend PAK_Generic.001

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

We've seen this Trojan spammed out with subject "Express Delivery system notification." Here's an example of the message body:

Dear customer

The parcel was sent your home adress
And it will arrive within 10 business days

More information and the tracking number are attached in document below.

Thank You

Of course, messages spoofed from couriers are nothing new. In fact, the Bredo family of malware is well-known for sending zipped executables—this attachment was not zipped, though.

Instead, the attached executable used a PDF icon to confuse users into believing it is a PDF document. When we ran the executable, it downloaded the file "pusk.exe" from a .net domain. "pusk.exe" in turn is detected by our products as Mal/FakeAV-JR.

Threat 3

Prolific scareware family drops even more malware

Threat Name:

Mal/FakeAV-JX

Users at Risk:

Windows users

Also Known As:

  • Avira TR/Kazy.17151
  • AVP Trojan-Spy.Win32.SpyEyes.fys
  • K7 Spyware ( 0022fd351 )
  • Microsoft Worm:Win32/Reclog.A
  • Symantec Trojan.Zbot
  • Trend Micro TSPY_SPYEYE.AM

About:

Mal/FakeAV-JX is a family of fake antivirus programs, also known as 'scareware,' and the Trojans that install them. As of April 2011, there are over 3,000 known members of this family and we continually find more.

Members of the Mal/FakeAV-JX family typically display some or all of the following behaviors:

  • Run automatically
  • Drop other malwares to the root\msm\ or User\Application Data\random name\ folder
  • Access the internet and communicate with a remote server via HTTP
  • add registry entries to run malware automatically

This family also installs the following registry entries. All these entries affect internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1409
3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1409
3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1409
3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1409
3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1409
3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyHttp1.1
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnIntranet
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPostRedirect
0

HKCU\Software\Microsoft\Internet Explorer\Recovery ClearBrowsingHistoryOnExit
0

HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
EnabledV8
0

HKCU\Software\Microsoft\Internet Explorer\PhishingFilter ShownServiceDownBalloon
0

HKCU\Software\Microsoft\Internet Explorer\Privacy CleanCookies
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\1
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\3
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\4
1406
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPost
00 00 00 00

These registry entries are created under:

HKCU\Software\Microsoft\\
© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information