Threat Spotlight

For the week of 21 Jul 2011
Threat 1

Malware attack latches onto Bastille Day

Threat Name:

Troj/Mdrop-DPB

Users at Risk:

Windows users

Also Known As:

AVP Trojan-Dropper.Win32.Agent.fjxr

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Mdrop-DPB is a Trojan for the Windows platform.

We've spotted Troj/Mdrop-DPB in spam targeting French users, in an attempt to exploit people's interest in celebrations for the Bastille Day holiday.

Unsuspecting users who open the attachment, which purports to be a list of Bastille Day activities, download a file called short-BASTIL_1.SCR.

Troj/Mdrop-DPB drops the file in WindowsUpdate.exe in the <Application Data>\Microsoft folder. This file is detected as Troj/Agent-SNH.

If installation is successful, Troj/Agent-SNH will attempt to contact the following remote server:

info . kembletech . com

In addition to the detection provided for Troj/Mdrop-DPB and Troj/Agent-SNH, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of these Trojans using various rules, including:

HIPS/FileMod-004 HIPS/FileMod-006 HIPS/ProcMod-005

Threat 2

Driveby scareware threatens users

Threat Name:

Troj/FakeAV-EFI

Users at Risk:

Windows users

Also Known As:

Avira TR/FraudPack.cviw
AVP Trojan.Win32.FraudPack.cviw
K7 Trojan ( 002849881 )
Trend TROJ_JORIK.SMX

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/FakeAV-EFI is a partial file-based detection for a family of fake antivirus Trojans targeting Windows users.

Troj/FakeAV-EFI is mainly distributed via "driveby downloads," often from websites seeded by cybercriminals into web or image searches using Blackhat SEO poisoning of trending or popular keywords.

When run, Troj/FakeAV-EFI drops a zipped file which uncompresses to %PROFILE%\Local Settings\Temp\tmp<random upper case characters and numbers>.tmp.

This file is then executed and attempts to download more data to complete the installation of the FakeAV itself.

Troj/FakeAV-EFI may attempt to contact the following remote locations:

/findlate(dot)org
clickgrandrapids(dot)org
clickconcord(dot)org
clickmesa(dot)org

We detect another variant of this family as Mal/EncPk-ZC.

Threat 3

Package delivery is not a gift you want

Threat Name:

Troj/Agent-SNZ

Users at Risk:

Windows users

Also Known As:

a-squared Trojan-Spy.Agent!IK
AntiVir TR/Dldr.FakeAV.CJ

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-SNZ is a Trojan for the Windows platform.

Troj/Agent-SNZ is commonly found as an attachment in spam. The spam message typically contains the subject "Your package is available to receive," with an attachment named "Postal_document#<random number>.zip"

The attachment is detected as Mal/BredoZp-B, and when unzipped the extracted file is detected as Troj/Agent-SNZ.

When run, the Trojan copies itself to <System32>\svchost.exe and <StartMenu>\Programs\Startup\dxdiag.exe.

The Trojan attempts to contact forsalga102.ru and download files from the site.

At the time of analysis, the files that it attempts to download are not available, but similar attacks attempt to download a fake antivirus Trojan.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information