Threat Spotlight

For the week of 21 Feb 2011
Threat 1

Fake FBI interception notice

About:

Threatening email allegedly sent from borderline literate FBI agent John Edward.

The fraud, which has been active since February 14, 2011, claims that the FBI intercepted a large trunk full of money at JFK Airport addressed to email recipient. The spam insists that the recipient must reply to email or will be arrested, interrogated, and prosecuted in the "Court of Law for Money Laundrey" [sic].

The email then urges the recipient to read the attached file which contains instructions forbidding the recipient from contacting any bank or persons in Nigeria. Oddly enough, there have recently been 419 campaigns from Nigeria impersonating Robert S. Mueller III.

Most samples of this email originated from Inner Mongolia, targeting citizens of the United States. In general these emails come from Freeweb accounts (budget cuts at FBI must be worse than we thought).

The financial incentive for the spammers is likely blackmail. After all, according to the spam, 'Special Agent Edward' will not arrest, interrogate and prosecute recipient for a fee.

There are several features of these messages that point to their spammer origins. The To field is an fbi.gov address. Recipient is in BCC. This is done so that the reader sees a @fbi.gov address in the header, which lends credibility to the message. The Reply-to field points to a different account than the From field. The message body is a short paragraph instructing recipient to open the attachment immediately.

Both Sender and Reply-to addresses are Freeweb accounts. The Reply-to field also points to a Freeweb account, one that differs from the sender account.

Message Sample:

Subject: FROM THE FEDERAL BUREAU OF INVESTIGATION (FBI)
From: AGENT JOHN EDWARD <redacted>@live.ca
To: <redacted>@fbi.gov

URGENT ATTENTION: BENEFICIARY,

KINDLY VIEW THE ATTACHED CONFIDENTIALITY NOTICE LETTER AND GET BACK TO ME IMMEDIATELY.

Yours In Service
Agent John Edward
Regional Director
Federal Bureau of Investigation
Intelligence Field Unit
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C.
20535-0001, USA
Threat 2

Fake messages from the FDIC and UPS

Threat Name:

Troj/Bredo-FA

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Spyeye.Y
  • McAfee: Artemis!B07B6325AC6D
  • Microsoft: Trojan:Win32/Oficla.AI
  • TrendMicro: TSPY_OFICLA.MESY

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Bredo-FA is a variant of the Bredo family of malware. The Trojan spreads a spam email attachment. It is a continuance of a campaign we have seen for several years pretending to be a shipping notification or wire transfer that asks you to open a malicious attachment. The attachment is usually a ZIP file containing only one executable and named:

FDIC_Document.zip
FDIC_document.exe

The email body is empty and the subject is 'United Parcel Service notification #XXXXX,' where X is a random digit.

Troj/Bredo-FA can:

  • Run automatically
  • Steal confidential information
  • Access the internet and communicate with a remote server via HTTP

When this Trojan is installed, it creates the file <Windows>\Minidump\Mini021411-01.dmp.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\KernelFaults
<Windows>\Minidump\Mini022411-01.dmp
0x00000000

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\MachineCrash

DumpFile
C:\WINDOWS\DUMP1d0d.tmp
Threat 3

Trojan forces system restart

Threat Name:

Troj/Agent-QKF

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Banker.Banker.bgsd
  • McAfee: Artemis!B87AC5E100A0
  • Microsoft: Trojan:Win32/Oficla
  • TrendMicro: TROJ_BANKER_CYW

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

This Trojan is typically spammed out as an attachment with the name of "document.zip." The spam often has the subject line of "Important information for depositors of Federal Deposit Insurance Corporation".

When run, the Trojan will cause a fatal error in the operating system, resulting in a reboot.

The spam attachment is detected as Troj/Agent-QKF and when extracted, the content is detected as Troj/Agent-QKF.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information