Threat Spotlight

For the week of 28 Jul 2011
Threat 1

Malware masked as credit card warning

Threat Name:

Troj/Agent-SSW

Users at Risk:

Windows users

Also Known As:

Microsoft TrojanDownloader:Win32/Cbeplay.L

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-SSW is a Trojan for the Windows platform.

Spammers are currently blasting out the Trojan as part of a malicious campaign claiming that the user's credit card has been blocked.

Troj/Agent-SSW arrives via email, for example like:

Subject: Your credit card is blocked

Dear Client,
Your credit card has been blocked! With your credit card was removed $ 3082,1 Possibly illegal operation!
More information in the attached file. Immediately contact your bank.
Best Wishes,
MASTERCARD .COM.

The email will have a file attached with filenames like: id<digits>.exe (the digits are random numbers). This file is detected as Troj/Agent-SSW.

The Trojan may attempt to download additional executable files from:

178 (DOT) 79 (DOT) 186 (DOT) 26

These files were unavailable for analysis at the time of writing.

Threat 2

Business offer is a Trojan sneak attack

Threat Name:

Troj/Agent-STC

Users at Risk:

Windows users

Also Known As:

JiangMin Trojan/JmGeneric.ctf
Microsoft Backdoor:Win32/Poisonivy.E

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-STC is a Trojan for the Windows platform.

Troj/Agent-STC is aggressively spammed out in multiple campaigns with various lures promising business deals.

The spammers behind this scheme use fake acquisition emails such as this one purporting to be from the chemical giant BASF Group:

Subject:
FW: Basf Group Acquisition

Content:
Dear,
I am a chemical business unit of BASF Group. Our goal is to remain the world's leading chemical company. With our renewed strategy BASF 2015, we will achieve this goal by successfully combining new and proven ideas.
We are aligning our activities with four strategic guidelines:
1.We plan to purchase in 2012 your company to further develop the market;
2.After the successful completion of the merger to enhance the treatment of employees 10%;
3.Organization staff to travel from time to time, and appropriate increase in vacation time;
4.Improve staff welfare, enhance living.
Please see the attachment of specific acquisition programs, in order to ensure the plan set extracting passwords secure attachment is: seeplan password:seeplan
Thanks

In this case, attached to the emails is a file called plan.7z, which itself contains a Trojan horse that Sophos detects as Troj/Agent-STC. Sophos also detects the 7ZIP file as Troj/Agent-STC.

Troj/Agent-STC includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Agent-STC communicates via HTTP with the following location:

praxair.no-ip DOT org

When you receive an email with an attachment like this, you should always be cautious about opening it.

Threat 3

Bredo blasts out USPS malware attack

Threat Name:

Troj/Bredo-IG

Users at Risk:

Windows users

Also Known As:

a-squared Backdoor.Win32.Momibot!IK
AVP Backdoor.Win32.IRCNite.clp

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Bredo-IG has been spreading through fake USPS spam campaigns.

The campaign includes subjects like:

From USPS id <random number>
Delivery Confirmation From USPS <random number>
Your USPS id <random number>

The campaign has a forged from address usually having a typical format:

manager<number>@usps.com
manager<number>@usps.us

The main body of the spam campaign tries to use social engineering to trick the user into checking the attachment included with the email. Examples include:

Good afternoon!
Dear User ,
Recipient's address is wrong PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER.
With Respect,
USPS Customer Services

ATTENTION!
Dear Client,
We were not able to delivery the post package Please print out the invoice copy attached and collect the package at our department.
With respect,
USPS Services

The attachments are usually named:

usps invoice

These executables are Troj/Bredo-IG.

Troj/Bredo-IG copies itself to the Windows system folder. It is usually named after the name of a dll in the same directory. Troj/Bredo-IG also drops a <randomnum>.dat file in Windows system folder.

Troj/Bredo-IG installs a service that will have a random name.

The ImagePath of the service points to the copy of Troj/Bredo-IG in Windows system folder passing to the executable option "srv" (<Windows system folder>\randomname.exe srv).

The Start value of the service is 0x2 (Auto Load). The service will also have a Type of value 0x110.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information