For the week of
19 May 2011
Threat
1
Malicious photo attachment hijacks browser sessions
Threat Name:
Troj/Agent-RMI
Users at Risk:
Windows users
Also Known As:
-
Avira TR/Crypt.XPACK.Gen3
Kaspersky Trojan-Dropper.Win32.TDSS.amfl
McAfee Artemis trojan
Symantec Trojan Horse
Microsoft TrojanDownloader:Win32/Ufraie.A
About:
This threat is spammed out in messages that claim to have naked pictures in the attachment. A typical message reads like this:
hi sweetie...
sending you my naked picture i made today, hope you like it :) c ya tommorow
kisses..
The attachment, called pictures.zip, contains a single executable named pictures.exe. When run, it attempts to disable the firewall, contact a remote server and then hijack web browser sessions. (Both pictures.zip and pictures.exe are detected by Sophos products as Troj/Agent-RMI.)
When first run, this Trojan attempts to download additional executables. It will also attempt to contact:
Hxxp:// kxrstsmd DOT ku3 DOT in
In addition to the detection provided for Troj/Agent-RMI, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Troj/Agent-RMI using various rules, including:
HIPS/IPConnect-001
HIPS/FileWriteMod-002
HPsus/Hijack-D
Threat
2
Fake reply to pharma spam
About:
We've been catching a new meds/pill campaign in our Sophos Labs spam traps. The spam subject lines look like a reply to a pills/meds email:
Re: Pfizer pills dealer
Re: eShop with native Pharmaceuticals
Re: Buy discount medications
Re: Licensed authentic drugs
This campaign is interesting for a number of reasons. Firstly, the spam messages lack all but the most basic MIME headers—it doesn't even have a content-type header. Secondly, the sender IPs are random bot/compromised IPs scattered over the net to prevent IP range blocks.
Still, it's always fun to look for inconsistencies in the minimal MIME headers we can examine. These are some sample "from" headers:
Curtis Duke <Sanford.Holland@[removed]>
Kurt Marsh <Josiah.Knapp@[removed]>
Kenya Peck <Gertrude.Neal@[removed]>
The message body uses a few different Freeweb domains to make it difficult for analysts to block the spammed out links. Below are a few sample message bodies:
Every next love bed is better than earlier with our capsules.
http://[removed]
Good afternoon
Newest pharm discovery for making men more in bed are sold here online!
http://[removed]
Want your love makings to be brighter? Our pilules add strength!
http://[removed]
We at Sophos always wish you continued health, but if you do need to buy pills we suggest you look outside your spam folder.
Threat
3
Zbot Trojan steals address book information
Threat Name:
Troj/Zbot-APY
Users at Risk:
Windows users
Also Known As:
VIPRE FraudTool.Win32.AVSoft
About:
Troj/Zbot-APY belongs to the family of Zbot Trojans.
Once it is installed, this Trojan attempts to disable the removal of automatic cookie cleanup and attempts to harvest information from the Windows Address Book.
In addition, this specific Trojan can
- Run automatically
- Create batch scripts
- Steal confidential information
- Access the internet and communicate with a remote server via HTTP
Troj/Zbot-APY communicates via HTTP with the following locations:
google . com
ionicfood . ru
When Troj/Zbot-APY is installed, it copies itself to <User>\Application Data\<random name>\<name>.exe.
The following registry entry is created to run the Trojan on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
{EAB70ED9-8221-5696-81BE-3D6E45787785}
<User>\Application Data\<random name>\<name>.exe
Troj/Zbot-APY modifies the following registry entry, which affects internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones