MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding a resume. The following subjects are possible:
Attached please find.
Here’s the file you wanted.
I have attached the resume.
please find enclosed.
Please find attached.
Resume attached.
The new resume is attached
The resume document is attached
You will find the resume attached to this email.
The email is send from the spoofed address and has the following body:
Please take a look at the attached resume.
The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe.
The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32).
At the time of writing, only 8 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permlink and MD5: 046911bf7eba63a19b9ee64bec9fbaf3.
%Temp%\TMP34714.tmp
%Temp%\TMP35042.tmp
%Temp%\TMP35073.tmp
A new registry will be created:
- [HKEY_CURRENT_USER\Printers\Connections]
- affid = “396″
- subid = “landing”
The following internet connections wil lbe established on port 80:
mediafullups.com
www.searchashamed.org
Two files will be downloaded from /a/ad that contains a malicious payload and here are the details.
The first file is known as Mal/EncPk-LZ (Sophos):
The following files will be created:
%Temp%\dfrgsnapnt.exe
%Temp%\topwesitjh
%Temp%\eapp32hst.dll
%Temp%\wscsvc32.exe
The following processed will be created or are affected:
dfrgsnapnt.exe
wscsvc32.exe
Several registry modifications will be done and the following URLs are used:
- http://finderwid.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
- http://searchashamed.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
- http://mediafullunu.com/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
- http://searchashamed.org/any3/5-direct.ex
- http://finderwid.org/any3/5-direct.ex
- http://mediafullunu.com/any3/5-direct.ex
The second file is known as Trojan.FakeAV!gen31 (Symantec), Trojan.Win32.TDSS.beea (Kaspersky), Application.RogueAVPacker (PCTools).
The following files will be created:
%Temp%\PRAGMA7e53.tmp
%Temp%\PRAGMAab00.tmp
%Windir%\PRAGMAvgobwwkuyu\PRAGMAc.dll
%Windir%\PRAGMAvgobwwkuyu\PRAGMAcfg.ini
%Windir%\PRAGMAvgobwwkuyu\PRAGMAd.sys
%Windir%\PRAGMAvgobwwkuyu\PRAGMAsrcr.dat
The following directory will be created:
%Windir%\PRAGMAvgobwwkuyu
Several registry modifications will be done and the following connections are established op port 80:
searchbored.org
searchfindinstall.org
The HTTP Get method is being used for css/pragma/crcmds/main.
View full post on mxlab – all about anti virus and anti spam
