Threat Spotlight

For the week of 25 Aug 2011
Threat 1

Fake antivirus disguised in spam

Threat Name:

Troj/FakeAV-ELC

Users at Risk:

Windows users

Also Known As:

AVP Trojan.Win32.Yakes.buc
BitDefender Trojan.Generic.KDV.320118
F-Prot W32/Bredolab.IF
F-Secure Trojan-Downloader:W32/Agent.DTFU
Kaspersky Trojan.Win32.Yakes.buc
McAfee Bredolab.gen.c
Microsoft Trojan:Win32/Fivfrom.gen!B
NOD32 Win32/TrojanDownloader.Small.PEJ
Symantec Trojan.Sasfis
Trend Micro TROJ_YAKES.U

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/FakeAV-ELC is a fake antivirus related to the Zeus family of Trojans.

Cybercriminals are currently spamming out the Trojan as an attachment to emails supposedly containing an intercompany invoice.

The malware displays a Microsoft Word icon masquerading as a document. The emails claim to come from a well-known company.

Subject:
Re: Corp. invoice from Novellus Systems Corp.

Content:
Hallo

Attached the intercompany inv. for the period January 2010 til December 2010.

Thanks a lot
KEIKO SPEARS
Novellus Systems Corp.

Subject:
Re: Inter-company inv. from Kraft Foods Corp.

Content:
Good day

Attached the intercompany inv. for the period January 2010 til December 2010.

Thanks you
JIN VALENTINE
Kraft Foods Corp.

Sophos detects the zip attachment as Troj/Invo-Zip.

When run, Troj/FakeAV-ELC starts a process and establishes an Internet connection to download further malicious files.

We also detect Troj/FakeAV-ELC as Mal/EncPk-AAN and Mal/Zbot-CX.

Threat 2

Cybercrooks fail with poorly made malware

Threat Name:

Troj/Agent-TBO

Users at Risk:

Windows users

Also Known As:

Avira TR/Fivfrom.B.4
AVP Backdoor.Win32.Agobot.ast
McAfee Backdoor-FAK trojan
Microsoft Trojan:Win32/Fivfrom.gen!B

Removal Instructions:

Please follow instructions for removing Trojans

About:

Troj/Agent-TBO is a Trojan for the Windows platform.

In this case, the malware won't work because of a mistake made by the bad guys. It won't run properly, so it is "defunct."

But the Trojan could cause problems for you if they manage to fix it manually.

Troj/Agent-TBO is usually distributed via email as a zipped attachment with a filename such as "Invoice_08.17.2011[...]rcod.exe" and an email subject of "Re: Corp. invoice from ATFT Corp."

When it's working properly, this malware includes functionality to:

  • run automatically
  • create auxiliary small files
  • access the Internet and communicate with a remote server via HTTP

When Troj/Agent-TBO is installed it creates the files:

\Documents and Settings\Local Settings\Temp\8sRYNzaT.exe
\Documents and Settings\Local Settings\Temp\bh.tmp

bh.tmp contains the GUID: {F1944F1F-82F2-488C-8DF8-A5A0A85361AB}

Troj/Agent-TBO could establish a connection with following Internet location:

host-121.net51.sol.az

If the remote host does not respond the Trojan will try to delete itself.

Threat 3

Credit card warning could cost you

Threat Name:

Troj/Bredo-IZ

Users at Risk:

Windows users

Also Known As:

AVP Trojan-Downloader.Win32.Agent.gxpt
McAfee Downloader.a!dz trojan
Microsoft TrojanDownloader:Win32/Cbeplay.M

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Bredo-IZ is a Trojan for the Windows platform.

We've seen this Trojan in attachments to emails claiming that the recipient's credit card has been blocked. Some of the variations on this theme we've seen lately include the following:

Subject:
Your credit card is blocked

Content:
Dear Consumer,

Your credit card has been blocked!
From your credit card has been removed $ 430,5
Possibly illegal transaction!
More detailed information in the attached file.
Instantly contact your bank.

Best wishes,
MC Customer Services

Subject:
Changelog 4.08.2011

Content:
Hi name@email,

as prmosed changelog is attached,

LINDSAY FREEMAN

The attached zip file contains another member of the Bredo family of malware that will, when executed, download further malicious files.

If you receive an email claiming that your credit card has been blocked, treat it with suspicion.

If you're concerned that the email might be true, contact your bank directly.

We remind you that you should always use caution and never open an attachment to an email from an unknown sender.