MX Lab intercepts a new trojan variant in emails with the subject “Look my CV. Thank you! MyID NR4557547.”.
Possible subject are:
Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.
The number at the end of the subject is choosen randomly and the from email address is spoofed.
The body of the email:
Good day.
I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,
Looking forward to your reply.
Thank you.
The email contains the attachment resume098.zip. The extracted file resume.exe is 36 kB large.
The trojan is known as W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools).
The following files are created:
%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll
The following modules were loaded into the address space of other process(es):
%Windir%\atapsrb.dll:
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000
%Windir%\atapsrb.dll::
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000
%Windir%\atapsrb.dll::
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000
Several Windows registry modifications are created and the trojan attempts to establish a connection to the following IPs on port 80:
195.78.109.680
212.78.71.8180
95.211.98.24680
Data is downloaded from the following hosts:
- hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1
- hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1
- hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe
At this time of writing, only 6 of the 41 AV engines at Virus Total detect this threat. Virus Total permlink and MD5: 0ae6a2d53e86b8784d45dd56afc5c6d7.
The downloaded file sepod.exe, which is 60 kB large, is malware known as W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).
13 of the 41 AV engine at Virus Total detect this threat. Virus Total permlink and MD5: 7a10c1118307e7cb4ecf97b40524a89c.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- New Bredolab trojan variant present in emails from Apple Store Fifth Avenue, NYCEDC Employment Application and more
MX Lab intercepts new Bredolab trojan variants in several email formats ranging from a receipt of the Apple Store on Fifth Avenue to the NYCEDC Employment Application and even more.
Please note that t... - New trojan variant in “Thank you for buying iTunes Gift Certificate!” email
MX Lab started to intercept a new campaign with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Trojan... - Oficla trojan found in emails with subject “Please look my CV. Thank you.”
MX Lab started to intercept emails with the subject “Please look my CV. Thank you.” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), TrojanDropper:Win32/Oficla.G (Microsoft), T... - New Oficla trojan variant targets Facebook users
MX Lab detected a new variant of the Oficla trojan that targets Facebook users and provides instructions on how to use the new password for their online Facebook account.
The emails is send from the s... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - The SMSer Trojan returns as fake browser
We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels o... - Fake AV? We are not amused
The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking fo... - Lab Matters – Dissecting the Banking Malware Problem
Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.... - New Android.Spy modification turns smart phones into zombies
Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan... - New Zero-Day Attack in Adobe Products (CVE-2011-0611)
Last month, Adobe had released a security advisory and a product update about a critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat that...
Posted on 15 June 2010. Tags: “Look, fjof sto, Gen:Variant Hiloti 1, mails, Thank, Trojan, Variant, variant hiloti 1, you”
