We see the threat Troj/Bredo-GZ inside a zip file, spread via a spam campaign. This Trojan arrives in an email message with the following subject:
Successfull Order 879155
And has a variation of the following message:
Thank you for ordering from Bobijou Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 880899.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card.
Your card will be charged for the amount of 042.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.
You will receive a separate email confirming your order has been despatched.
Your purchase and delivery information appears below in attached file.
Thanks again for shopping at Bobijou Inc.
The zip file contains the malicious Troj/Bredo-GZ exe. To make this look more believable, the icon for the exe is a close copy of the Adobe PDF Reader application.
Troj/Bredo-GZ is a downloader for fake antivirus malware. If downloaded, unzipped and run, Troj/Bredo-GZ injects code into a running svchost.exe process and then attempts to download from the following locations:
(These websites are live at the time of writing.)
The downloaded malicious file will be installed into the following location:
C:\Documents and Settings\<username>\Local Settings\Temp\pusk.exe
At the time of writing, Sophos detected this threat as Mal/FakeAV-JR.
In addition to the detection provided for Troj/Bredo-GZ, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Troj/Bredo-GZ using various rules, including: