For the week of
11 Aug 2011
Threat
1
Trojan dropper infects Windows users
Threat Name:
Troj/Mdrop-DKE
Users at Risk:
Windows users
Also Known As:
Avira TR/Clicker.DH
K7 Trojan ( 748e48fd0 )
McAfee Generic Downloader.x!fxy
Microsoft Trojan:Win32/Dynamer!dtc
Symantec Trojan.Gen.2
Trend TROJ_SPNR.0BFE11
About:
Troj/Mdrop-DKE is a Trojan dropper and downloader for the Windows platform.
It is written in VB6.
When executed, the Trojan attempts to contact:
freeme2host[dot]co[dot]cc
It then attempts to retrieve a file from:
freeme2host[dot]co[dot]cc/images/index4[dot]php
At the time of writing, this link was unavailable.
The Trojan drops a .dat file to:
"%userprofile%\application data\<random integers>.dat"
This file is not detect-worth.
Threat
2
Zbot ships Trojan in fake USPS notification
Threat Name:
Mal/Zbot-CX
Users at Risk:
Windows users
Also Known As:
AVP Trojan-Spy.Win32.Zbot.bovm
K7 Trojan ( f1000f011 )
Microsoft PWS:Win32/Zbot.gen!Y
Symantec W32.Qakbot!gen5
About:
Mal/Zbot-CX is a Trojan for the Windows platform, in the Zbot family of malware (also known as Zeus).
Mal/Zbot-CX is aggressively spammed out in multiple campaigns with various postal service lures.
The spammers behind this scheme use fake USPS notifications such as:
Subject:
Your parcel will be sent to the sender on May 12
Content:
Dear client.
Your package has been returned to the Post Express office.
The reason of the return is "Error in the delivery address."
More information and the tracking number are attached in document below.
Thank you.
USPS Priority Mail.
In this case, attached to the email is a file called Postal_Document#10994.zip or similar filenames, which itself contains a Trojan horse that Sophos detects as Mal/Zbot-CX.
Sophos also detects the ZIP file as Mal/BredoZp-B.
When you receive an email with an attachment like this, you should always use caution before opening it.