Threat Spotlight

For the week of 22 Sep 2011
Threat 1

Bredo spreads UPS invoice malware

Threat Name:

Troj/Invo-Zip

Users at Risk:

Windows users

Also Known As:

Kaspersky: Backdoor.Win32.Bredolab.bra
Avira: DR/Delphi.Gen
McAfee: Generic Dropper.lr
Microsoft: TrojanDownloader: Win32/Bredolab.AB

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Invo-Zip is another email-based malware that we've seen in our spam traps as part of recent campaigns from the Bredo family of Trojans.

We've seen Troj/Invo-Zip attached to emails pretending to come from UPS:

Dear customer!
Unfortunately we were not able to deliver the postal package which was sent on the 18th of June in time because the addressee's address is erroneous.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

And:

Dear customer! We failed to deliver your postal package which was sent on the 18th of June in time because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our department.
United Parcel Service of America.

In both instances, opening the attached zip files—whose names both began with UPS_invoice_NR—would enable the malware sender successfully to deliver Mal/Oficla-A and Mal/FakeAV-DH.

This threat sometimes comes in emails purporting to be from myspace.com. The messages often read as follows:

Hey ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document. Thanks,
Your MySpace.

The attached document is a zip file with a variable name beginning with MySpace_document which actually contains Mal/Oficla-A and Mal/FakeAV-DH.

Threat 2

Autorun virus keeps going and going

Threat Name:

W32/Sality-AM

Users at Risk:

Windows users

Removal Instructions:

Please follow the instructions for disinfecting PE viruses

About:

W32/Sality-AM is a member of the Sality family of viruses for Windows.

W32/Sality-AM has been around since January 2008, but viruses remain infectious long after their original release. Recently, this particular virus has had a minor resurgence.

W32/Sality-AM may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically, detected as Mal/AutoInf-A.

When first run, the W32/Sality-AM may infect executables in the root folder, files on network shares.

The initial dropped files includes dropping as: rejoice101.exe

It is also known to drop drivers in the system32 drivers folder. The driver can have different names but is detected as Troj/RKSal-Gen.

Mal/Sality-AM will attempt to delete a large swathe of files related to antivirus and anti-spyware software. It will modify a large list of registry keys including the following list:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKLM\Software\Microsoft\Security Center
HKLM\System\CurrentControlSet\Control\SafeBoot
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Mal/Sality-AM connects to a large list of hard-coded websites to download further malware. The dropped driver files also act as a filter driver which prevents access to various security websites.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Mal/Sality-AM. The actions of this malware trigger the HIPS rules HIPS/FileMod-005, HIPS/RegMod-016 and HIPS/RegMod-013.

Threat 3

Conficker still lurks on unpatched PCs

Threat Name:

Mal/Conficker-A

Users at Risk:

Windows users

Also Known As:

WORM_DOWNAD.AD
W32/Conficker.worm
Worm:Win32/Conficker.gen!A
Worm:W32/Downadup
Net-Worm.Win32.Kido

Removal Instructions:

Mal/Conficker-A can be removed with Sophos Anti-Virus or by downloading the standalone Conficker removal tool

About:

Mal/Conficker-A is a worm for the Windows platform.

This persistent worm has been infecting Windows machines and networks since November 2008. Conficker spreads by copying itself to removable storage devices and by exploiting the MS08-067 Windows Server service vulnerability.

If you detect Conficker on your system:

  • Ensure Windows is fully updated to fix the MS08-067 vulnerability that the Conficker family of worms uses to spread.
  • Ensure that all removable storage devices are scanned after being connected to a computer infected with the Conficker family of worms.
  • Ensure HIPS and buffer overflow prevention are both turned on and that "alert only" mode is turned off.
  • Ensure the on-access scanner is turned on and that "on write" scanning is enabled.

If W32/ConfikMem-A is detected on the computer, clean up this item first and then immediately run another full scan. Cleaning up W32/ConfikMem-A removes the worm from memory and allows Sophos Anti-Virus to scan files that may have been locked by the virus while it was running.

If a full scan reports unscannable files and W32/ConfikMem-A is not found in memory, ensure the on-access scanner is enabled and the virus data is up to date, reboot the computer and immediately perform another full scan. This causes the on-access scanner to prevent the Conficker worm from loading as a service and should unlock those files so they can be scanned.

After cleaning up an active infection of the Conficker worm, a reboot may be required.

For a detailed guide to cleaning up a Conficker infection on a Windows network, please refer to the knowledgebase article.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information