Threat Spotlight

For the week of 16 Jun 2011
Threat 1

Spam spreading fake antivirus spoofs UPS

Threat Name:

Mal/FakeAV-LI

Users at Risk:

Windows users

Also Known As:

Avira TR/Dldr.Agent.heq
AVP Trojan-Downloader.Win32.FraudLoad.zeda
K7 Trojan-Downloader ( 647835610 )
McAfee Generic Downloader.x!fus trojan
Microsoft TrojanDownloader:Win32/Chepvil.K
Symantec Trojan.FakeAV
Trend TROJ_CHEPVIL.AE

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Mal/FakeAV-LI is a Trojan mainly spread in spam messages that spoof parcel delivery notices from UPS.

This malware mainly uses normal looking icons such as the PDF icon, which is not a good sign for an .exe file. The main exe spawns svchost.exe and injects code into it which then downloads and executes the fake antivirus or other fake software.

The Trojan downloads from multiple malicious domains, such as the following examples:

request: http://puskovayaustanovka.ru/pusk DOT exe
request: http://109.94.220.52/spm DOT exe
request: http://109.94.220.52/lol2 DOT exe
request: http://109.94.220.52/pod DOT exe
request: http://kkojjors.net/f/g DOT php
request: http://kkojjors.net/f/g DOT php

We have blocked these URLs as malware repositories, although they were down at time of writing.

Downloaded files are dropped here:

C:\Documents and Settings\[user]\Local Settings\Temp

They may also be detected as Troj/FakeAV-DRB

The fake antivirus also shows up as a fake hard drive failure malware that weakens the system by modifying multiple registry keys such as:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr
HKCU\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures

The malware loads from here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
YWjcrFuitUsqdav
C:\Documents and Settings\All Users\Application Data\YWjcrFuitUsqdav.exe

The hard drive failure types will ask you to purchase the software to fix your "broken" disk after multiple scary windows pop up telling you how many problems it has.

HIPS

main executable blocked via HIPS
detection: "HIPS/ProcMod-004"
detection: "HIPS/ProcMod-007"

Downloaded/executed files are blocked via HIPS
detection: "HIPS/RegMod-009"

Threat 2

YouTube spam links to phishing websites

About:

A new spam campaign is exploiting the popularity of video sharing with messages advising users that "YouTube has sent you a notification."

Average computer users may be tempted to click on what they think could be an interesting or hilarious video clip. But clicking on the enclosed link unsuspectingly, without being asked to "Click Here to See,” leads users to some unsafe websites.

Under the hood, the link doesn't get anywhere near YouTube or Twitter. Whoever clicks on the spam links ends up at either a phishing site trying to steal users' bank passwords, a site trying to sell fake iPhones for a fraction of the cost, or even Trojan infected sites.

As the Internet brings the whole world closer and closer, this type of social engineering technique is found all over the world, from North America, to Europe, Asia, and South America. Spammers try delivering "YouTube" template messages to as many mailboxes as they attempted with the old-fashioned "Click here" type of spam. It’s a new look for an old technique.

Threat 3

Spam delivers malware not package

Threat Name:

Troj/Agent-RZP

Users at Risk:

Windows users

Also Known As:

AVP Trojan-Spy.Win32.Zbot.bqtf
Microsoft PWS:Win32/Zbot

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Spammers are spreading a Trojan for the Windows platform in campaigns using various UPS shipments lures. Troj/Agent-RZP infects users who click on a link spoofing a UPS shipping invoice.

Subject: Your package has arrived!

Content: Dear client
Your package has arrived.
The tracking # is : 8EC11BAFF7CB6C0C and can be used at : The shipping invoice can be downloaded from : Thank you, United Parcel Service

In this case, the URLs link to a file which Sophos detects as Troj/Agent-RZP.

Troj/Agent-RZP includes functionality to access the internet and communicate with a remote server via HTTP with the following locations:

xdnsrv DOT com

When you receive an email with URL links like this, you should always look closely before clicking them.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information