For the week of
07 Feb 2011
Threat
1
Trojan requests files through Internet
Threat Name:
Troj/SpyEye-A
Users at Risk:
Windows users
Also Known As:
- Avira: TR/Spy.SpyEyes.IF.1
- AVP: Trojan-Spy.Win32.SpyEyes.if
- K7: Spyware ( 001716d51 )
- McAfee: Generic PWS.y!cqg
- Microsoft: Trojan:Win32/Bumat!rts
About:
Troj/SpyEye-A provides generic detection for variants of Troj/SpyEye family of Trojans that include functionality to run automatically and/or access the Internet and communicate with a remote server through HTTP.
Troj/SpyEye-A copies itself to:
<Root>\cleansweep.exe\cleansweep.exe
and create the files:
<Root>\cleansweep.exe <Root>\cleansweep.exe\config.bin
and may trigger HIPS/ProcMod-001 runtime detection.
The following registry entry runs cleansweep.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run cleansweep.exe <Root>\cleansweep.exe\cleansweep.exe
The following registry entries are known to be set, affecting Internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1409
0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1409
0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1409
0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1409
0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1409
0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1406
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1406
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0x00000000
Registry entries are:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyHttp1.1
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnonBadCertRecving
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPostRedirect
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnonZoneCrossing
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnIntranet
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPost
00 00 00 00
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\1
1406
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\3
1406
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\4
1406
0x00000000
Threat
2
Not a parcel delivery failure notice, but a Trojan
Threat Name:
Troj/Agent-QGA
Users at Risk:
Windows users
Also Known As:
Symantec: Downloader.Lofog!gen2
About:
Seen in spam, it typically features the following subject line:
Subject: Post Express Service. Your package delivered! NR7138
And has the following attachment:
Post_Express_Label_INN1268~.zip, which contains Post Express Label.exe
In general, the email message reads:
Dear client:
Your package has been returned to the Post Express office. The reason of the return is "Error in the delivery address."
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office to receive the packages.
Thank you for using our services.
Post Express Service.
When a user opens the email attachment, the Trojan executes svchost.exe and its subprocess and injects into it, causing it to download more malware.
Document.doc, one of the dropped files, opens with WordPad to disguise its malicious activity. Troj/Agent-QGA may also attempt to contact interviewbuy.ru to download additional files.
The website had been shut down. And while we've seen relation with Mal/Zbot-AV, this is a downloader possibly generated from standard exploit kit so its payload is likely to vary over time.
Threat
3
Post Express Service message, Trojan attachment
Threat Name:
Troj/Spyeye-R
Users at Risk:
Windows users
Also Known As:
- Avira: TR/Oficla.F
- K7: Trojan-( 0001140e1 )
- McAfee: W32/Bamital.j
- Trend: TROJ_SPYEYE.SMEP
About:
Troj/Spyeye-R can download and execute malicious code. When run, it copies itself to <System>\svchost.exe and may trigger HIPS/ProcMod-004 runtime detection.
The Trojan also attempts to download code from interviewbuy.ru.
Downloaded files include Mal/FakeAV-BW, Mal/Zbot-AV and Troj/Agent-QFO
The Trojan may modify the following registry entry:
HKLM\SOFTWARE\Microsoft\DownloadManager
Users received instances of Troj/Spyeye-R in the form of an email attachment.
The email may claim to be from courier companies, mentioning undelivered parcels and containing an attachment in the form of a zip file.
When zipped it's detected as Troj/BredoZp-BT, when unzipped, it's detected as Troj/Spyeye-R.