After our first report earlier today of the YouSendIt abuse that leads to a malicious payload and spam web site, MX Lab now intercepted messages with the subject “You have received a file from fudgeupte7@randoripartners.com via YouSendIt.” and the attachment YouSendIt_reader.zip.
The email address is spoofed and the email address in the subject line will change according to the from address.
The body of the email:
Maryellen Meier has sent you the following via YouSendIt
File attached to this letter.
YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008
The message has the attachment YouSendIt_reader.zip. Once extracted, the 20 kB large file YouSendIt_reader.exe is available.
The trojan is known as Gen:Variant.Bredo.2 (BitDefender, F-Secure, GData), TrojanDownloader:Win32/Waledac.C (Microsoft).
The following files are created:
%AppData%\1410506.exe
%Programs%\Security Tool.lnk
%Windir%\Temp\_ex-08.exe
New processes are created:
Process Name: 1410506.exe
Process Filename: %AppData%\1410506.exe
Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe
Process Name: 1410506.exe
Process Filename: %UserProfile%\LOCALS~1\APPLIC~1\1410506.exe
Several Windows registry modificatiosn are being made to the infected system and the trojan can establish an connection to the IPs 77.78.249.2 and 85.234.191.111 on port 80.
The trojan will also connect to the URL hxxp://77.78.249.2/cb_soft.php?q=a4867e4e00d394bf25ae3835341f22e3
At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the treath.Virus Total permlink and MD5: 79be5ebc9659f2c4e2e85cdd3464720d.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- “Facebook Support. Your password has been changed!” contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the nu... - “United Parcel Service notification 48161” from UPS contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may v... - Bredolab Trojan – Malware Review
Two months ago, the authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan. Despite these efforts, the Bredolab Trojan is still spreading malware on user’s machines.
Un... - Email with new password from Facebook Support contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your accou... - Trojan attached to “Scan from a Xerox WorkCentre” messages
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Scan from a Xerox WorkCentre P9275821″.
The email is send from the spoofed ... - Emails regarding an attached resume contains a trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding a resume. The following subjects are possible:
Attached please find.
Here’s the file you w... - “New Facebook password!” emails contains W32/Oficla.BC trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Facebook password!”
The email is send from the spoofed address “&#... - Email with Guys & Dolls ZIP file contains trojan
MX Lab intercepted some emails with the subject “Ad third try” with attached a ZIP file named Guys & Dolls_displayad.zip.
The message comes from a spoofed email address and has the fol... - “You’ve got a fax” emails contains a trojan
MX Lab just intercepted some samples of a new trojan attached to emails with the subject “You’ve got a fax”. The body of the message contains an embedded JPEG file and attached a ZIP... - Email regarding Western Union transaction contains the Oficla trojan
MX Lab intercepted a new trojan variant in emails with the subject “The transfer is available to withdrawl. Western Union.” regarding a money transaction. The email is sent from the spoofe...
Posted on 06 August 2010. Tags: Bredolab, contains, Messages, reader, Trojan, YouSendIt
