Threat Spotlight

Per la settimana di 25 ago 2011
Minaccia 1

Fake antivirus disguised in spam

Nome della minaccia:

Troj/FakeAV-ELC

Utenti a rischio:

Windows users

Noto anche come:

AVP Trojan.Win32.Yakes.buc
BitDefender Trojan.Generic.KDV.320118
F-Prot W32/Bredolab.IF
F-Secure Trojan-Downloader:W32/Agent.DTFU
Kaspersky Trojan.Win32.Yakes.buc
McAfee Bredolab.gen.c
Microsoft Trojan:Win32/Fivfrom.gen!B
NOD32 Win32/TrojanDownloader.Small.PEJ
Symantec Trojan.Sasfis
Trend Micro TROJ_YAKES.U

Istruzioni per la rimozione:

Please follow the instructions for removing Trojans

Informazioni:

Troj/FakeAV-ELC is a fake antivirus related to the Zeus family of Trojans.

Cybercriminals are currently spamming out the Trojan as an attachment to emails supposedly containing an intercompany invoice.

The malware displays a Microsoft Word icon masquerading as a document. The emails claim to come from a well-known company.

Subject:
Re: Corp. invoice from Novellus Systems Corp.

Content:
Hallo

Attached the intercompany inv. for the period January 2010 til December 2010.

Thanks a lot
KEIKO SPEARS
Novellus Systems Corp.

Subject:
Re: Inter-company inv. from Kraft Foods Corp.

Content:
Good day

Attached the intercompany inv. for the period January 2010 til December 2010.

Thanks you
JIN VALENTINE
Kraft Foods Corp.

Sophos detects the zip attachment as Troj/Invo-Zip.

When run, Troj/FakeAV-ELC starts a process and establishes an Internet connection to download further malicious files.

We also detect Troj/FakeAV-ELC as Mal/EncPk-AAN and Mal/Zbot-CX.

Minaccia 2

Cybercrooks fail with poorly made malware

Nome della minaccia:

Troj/Agent-TBO

Utenti a rischio:

Windows users

Noto anche come:

Avira TR/Fivfrom.B.4
AVP Backdoor.Win32.Agobot.ast
McAfee Backdoor-FAK trojan
Microsoft Trojan:Win32/Fivfrom.gen!B

Istruzioni per la rimozione:

Please follow instructions for removing Trojans

Informazioni:

Troj/Agent-TBO is a Trojan for the Windows platform.

In this case, the malware won't work because of a mistake made by the bad guys. It won't run properly, so it is "defunct."

But the Trojan could cause problems for you if they manage to fix it manually.

Troj/Agent-TBO is usually distributed via email as a zipped attachment with a filename such as "Invoice_08.17.2011[...]rcod.exe" and an email subject of "Re: Corp. invoice from ATFT Corp."

When it's working properly, this malware includes functionality to:

  • run automatically
  • create auxiliary small files
  • access the Internet and communicate with a remote server via HTTP

When Troj/Agent-TBO is installed it creates the files:

\Documents and Settings\Local Settings\Temp\8sRYNzaT.exe
\Documents and Settings\Local Settings\Temp\bh.tmp

bh.tmp contains the GUID: {F1944F1F-82F2-488C-8DF8-A5A0A85361AB}

Troj/Agent-TBO could establish a connection with following Internet location:

host-121.net51.sol.az

If the remote host does not respond the Trojan will try to delete itself.

Minaccia 3

Credit card warning could cost you

Nome della minaccia:

Troj/Bredo-IZ

Utenti a rischio:

Windows users

Noto anche come:

AVP Trojan-Downloader.Win32.Agent.gxpt
McAfee Downloader.a!dz trojan
Microsoft TrojanDownloader:Win32/Cbeplay.M

Istruzioni per la rimozione:

Please follow the instructions for removing Trojans

Informazioni:

Troj/Bredo-IZ is a Trojan for the Windows platform.

We've seen this Trojan in attachments to emails claiming that the recipient's credit card has been blocked. Some of the variations on this theme we've seen lately include the following:

Subject:
Your credit card is blocked

Content:
Dear Consumer,

Your credit card has been blocked!
From your credit card has been removed $ 430,5
Possibly illegal transaction!
More detailed information in the attached file.
Instantly contact your bank.

Best wishes,
MC Customer Services

Subject:
Changelog 4.08.2011

Content:
Hi name@email,

as prmosed changelog is attached,

LINDSAY FREEMAN

The attached zip file contains another member of the Bredo family of malware that will, when executed, download further malicious files.

If you receive an email claiming that your credit card has been blocked, treat it with suspicion.

If you're concerned that the email might be true, contact your bank directly.

We remind you that you should always use caution and never open an attachment to an email from an unknown sender.