Spammed zipped Trojans (Sep 4, 2008)

SonicWALL UTM Research Team has observed multiple Trojan spam runs in last one week starting August 27, 2008 which included the Labor day weekend. Common part among all the spam was the Trojan arrives via email in a zipped archive attachment.

Summary:

Western Union MTCN spam
Online Flight Ticket spam
Airmail Express delivery failure spam
Fedex Tracking number spam

Western Union MTCN spam

This spam wave started on August 27, 2008 and continued for 2 days. The e-mail contains a fake message about your Western Union money transfer transaction being halted or bounced. The e-mails look like following:

Attachment:

• RN67761263.zip (contains file RN67761263.exe)
• In776162.zip (contains file In776162.exe)

Subjects: Western Union MTCN #<10 digit Number>

Message Body:
——————
Hello!

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. <5 digit number> since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at http://www.westernunion.com

Thank you!
——————

SonicWALL detection for these Trojans:

• GAV: Zbot.EJX (Trojan) [Hits recorded: 851]
• GAV: ZBot.EJW (Trojan) [Hits recorded: 4,210]

Online Flight Ticket spam

The first wave of this spam was seen on August 28, 2008 which lasted just 1 day. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 2, 2008. The e-mail pretends to be containing an online flight ticket invoice. The e-mails look like following:

Attachment:

• eTicket_N832.zip (contains file eTicket_N832.exe)
• e-Ticket_S737.zip (contains file e-Ticket_S737.exe)

Subjects: Your Online Flight Ticket N <5 digit number>

Message Body:
——————
Dear customers, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:

Your login: Your password: pass<4 random characters>

Your credit card has been charged for $6XX.XX. [where X can be 0-9] We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards, Virgin America
——————

SonicWALL detection for these Trojans:

• GAV: AutoRun.WK (Worm) [Hits recorded: 7,892]
• GAV: Emold.A_2 (Trojan) [Hits recorded: 107,996]

Airmail Express delivery failure spam

The first wave of this spam was seen on August 28, 2008 which lasted for 2 days. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 3, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment:

• AIRMAIL#7661224.zip (contains file AIRMAIL#7661224.exe)
• AIRMAIL_76612.zip (contains file AIRMAIL_76612.exe)
• #876712.zip (contains file #876712.exe)
• 5322412.zip (contains file 5322412.exe)

Subjects:

• AIRMAIL EXPRESS $_ < random number >
• Airmail Tracking number #<7 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on August the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office

AIRMAIL EXPRESS
——————

SonicWALL detection for these Trojans:

• GAV: Zbot.AIR (Trojan) [Hits recorded: 198,947]
• GAV: Zbot.EKQ (Trojan) [Hits recorded: 38]
• GAV: Zbot.EMQ (Trojan) [Hits recorded: 266]
• GAV: Zbot.EOD (Trojan) [Hits recorded: 4068]
• GAV: Zbot.ENM (Trojan) [Hits recorded: 34,337]

Fedex Tracking number spam

This spam started on Labor day and continued until September 2, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment: TR87190-18721.doc.zip (contains file TR87190-18721.doc.exe)

Subjects: Tracking N <10 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on July the 25 in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your FEDEX www.fedex.com
——————

SonicWALL detection for these Trojans: GAV: Agent.ACCI (Trojan) [Hits recorded: 895]

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.