MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “LinkedIn Messages, 9/30/2010″.
The email is send from the spoofed address “LinkedIn Communication <communication@linkedin.com> (sent by messages-noreply@bounce.linkedin.com)”, email headers are forged and the message has the following body with complete LinkedIn branding:
The message is very similar to the LinkedIn Alert email threat we have seen a few days ago but has now some other approach to distribute the malware after clicking a link in the message.
All the URL redirect the visitor to a web site and then redirects them immediatly to hxxp://hetfonteintje.com/1.html. When the webpage is loaded you will get an image to see to install the Adobe Flash Player. The file flash_player_07.78.exe is offered to be downloaded.
The trojan is known as Trojan-Spy.Win32.Zbot.aptt (Kaspersky), Win32/Spy.Zbot.ZR (NOD32), Trojan.Zbot (PCTools), Trojan.Generic.KD.44402 (F-Secure).
The following files will be created:
%AppData%\Yguze\ubce.exe
%AppData%\Ywimuq\ipafe.tiy
%AppData%\Ywimuq\ipafe.tmp
%Temp%\tmp0e1f500d.bat
The following directories are created:
%AppData%\Yguze
%AppData%\Ywimuq
A new process is created:
ubce.exe
Several Windows registry changes will be exectued and the trojan will establish a connection with the host ohmaebahsh.ru on port 80 and perform a GET request for bin/koethood.bin.
Virus Total permlink and MD5: b77b6eac5d9e9d088b400652405c4b19.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- Email messages with subject “LinkedIn Alert” lead to malware. Belgian political party Vlaams Belang is hosting a malicious file.
MX Lab, http://www.mxlab.eu, is intercepting an certain amount of emails with the subject “LinkedIn Alert” that leads to a website with malicious software and redirects surfers to a online... - Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a fol... - Thank you from Google, and Facebook personal messages lead to malware
Take a look at a couple of email messages Sophos intercepted earlier today.
Firstly, the great guys at Google have been in touch. Their message, entitled "Thank you from Google!", says that they hav... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - Facebook notification emails spreads malware
People have started getting the following email claiming that “Facebook Copyrights Department” has detected unusual Copyrights activity linked to your Facebook account , please follow the link bellow ... - Phony Facebook Photos lead to malware
This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook applic... - Hot Topics Lead To Malware
Google Trends seems to be a nice reference tool for the attackers to know which hot topics currently generate the maximum of public interest - a compass that leads them to the victims.Here is another ... - “Photos” via Instant Messengers, Facebook Lead to Malware
We’ve received reports about a new wave of malware spreading via Facebook, Yahoo! Messenger and Windows Live. Messages are spreading via these services that have the following text:
Foto http... - Searches for new Harry Potter movie lead to malware
People looking for the latest Harry Potter movie may get more than they bargained for. Sleazy sites are claiming they offer “Harry Potter and the Deathly Hallows” for free by streaming or ... - Dating and Malware Spam Dominates the Top Spam Subject Lines
Symantec observed that dating spam messages and spam messages distributing malware were most prevalent in the recent past. These spam messages dominated the list of top 10 spam subject lines in the pa...
Posted on 01 October 2010. Tags: “LinkedIn, 9/30/2010″, emails, Lead, Malware, Messages, subject
