A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Nearly all of the attached files are named “United Parcel Service document.zip”.

The most prevalent SHA1s for the .ZIP attachment are:
0610CE22DF47B3D9C69DC63387705FD666C7205A
151755454A9D443A8A60996F3F1DC4E0C68A9B5D
2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F
142E8b00AA24954f9A4AA2271B8A49C445B87587
DA65B7B277540B88918076949A28E8307AD7E41A

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Below is one example of a spammed message containing the Chepvil trojan.

Image 3 – Sample of Chepvil trojan attachment

MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.

- Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan

• Spam Delivers Downloader Trojan
  Malware writers are again taking advantage of curious readers by sending out email messages related to recent news events that contain malicious attachments. One particular sample detected as TROJ_AZA...
• We have reports of AVG reporting a trojan downloader on our main page and RSS feed: It is due to the code snippet we are showing in one of our diaries., (Mon, Aug 16th)
  ---- Raul Siles Founder and Senior Security Analyst with Taddong www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United Stat...
• “Download photoalbum” another variant of “i got u surprise”
  Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ...
• The SMSer Trojan returns as fake browser
  We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels o...
• Fake AV? We are not amused
  The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking fo...
• Lab Matters – Dissecting the Banking Malware Problem
  Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web....
• New Android.Spy modification turns smart phones into zombies
  Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan...
• Malware family “Chepvil” leads rogueware “XP Anti-Virus 2011″.
  One after another malware family trying to panic user to install fake security application. Now the Chepvil malware which comes via email as an attachment. The email as shown below: Email Snip The a...
• “Facebook Support. Your password has been changed!” contains trojan
  MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the nu...
• Video – “Windows Activation” Ransom Trojan
  We recently came across a ransom trojan that prompts the following:"Windows license locked!"The trojan claims that "you should complete activation" and provides several phones numbers.The numb...