MX Lab intercepted messages with the subject “Statement of fees 2009/2010″ that contains the Sasfis trojan attached in a ZIP archive. The email is send from various spoofed email addresses and changes randomly.
Body of the email:
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.
Kind regards.
Ramon Roberson
The attached ZIP archive has the name Statement_of_fees_2009_2010.zip and the extracted file has the name Statement_of_fees_2009_2010__[manyunderscores]_doc.exe. A large amount of underscores makes it more difficult to see that this file is in fact an executable.
The following files will be created:
%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.
The trojan can establish a remote connection with the IP 174.120.228.122 and 193.105.174.108 on port 80 and retrieve data from:
* hxxp://www.brightspottech.com/loader_40.exe
* hxxp://hulejsoops.ru/images/bb.php?v=200&id=256235564&b=build001&tm=2
At the time of writing, only 10 of the 40 Av engines did detect the trojan. Virus Total permlink and MD5: b5e6830bb7836f776d5629291cc961a1
View full post on mxlab – all about anti virus and anti spam
Related Posts
- Fake Trojan Virus Malware – SOLUTION – Win32.Zafi.B – ocboo1892823
Many fake trojans (Malware) are floating around right now. I was alerted via "windows pop-up" that I was infected by Win32.Zafi.B When in reality I was not. It was Malw... - New Oficla trojan in emails with subject “Your facebook password has been changed”
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “You... - New Oficla trojan version in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contai... - New Bredolab trojan variant present in emails from Apple Store Fifth Avenue, NYCEDC Employment Application and more
MX Lab intercepts new Bredolab trojan variants in several email formats ranging from a receipt of the Apple Store on Fifth Avenue to the NYCEDC Employment Application and even more.
Please note that t... - Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email addres... - Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan
A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR... - Oficla trojan found in emails with subject “Please look my CV. Thank you.”
MX Lab started to intercept emails with the subject “Please look my CV. Thank you.” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), TrojanDropper:Win32/Oficla.G (Microsoft), T... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - UPS Spam Mail
Emsisoft Labs are always on the lookout for something out of the ordinary happening, and we recently came across a circulation of spam portraying as fake FedEx Emails. Emsisoft Anti-Malware will det... - Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a fol...
Posted on 04 May 2010. Tags: 2009/2010, emails, fees, PAcked vmprotect aaa, present, Sasfis, Statement, subject, Trojan, VMProtect AAA, vmprotect aaa trojan, win32/packed VMProtect AAA, Win32/Packed VMProtect AAA trojan
