Date: 13 March 2007
References: AL-2007.0026 AL-2007.0026
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0033 -- AUSCERT ALERT
[Win]
"Your new password" and "Hot Australian News" trojan emails
13 March 2007
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Member content until: Tuesday, April 10 2007
Ref: AL-2007.0026
Comment: Please note, some words have had characters replaced with '*' to avoid
email filtering.
OVERVIEW:
AusCERT has observed recent email activity containing malicious
links. One of these emails is very similar in form to the "Prime
Minister heart attack" described in AL-2007.0026 [1], but now
contains a subject line of "Hot Australian News". The other contains
a subject of "Your new password", and is a fraudulent credit card
receipt appearing to be from a p*rn*graphic website.
IMPACT:
A user visiting the links contained in these emails is potentially
vulnerable to infection from a credential stealing program. Initial
analysis indicates that this malware uses rootkit-style stealthing
to hide itself on the system.
MITIGATION:
Users should avoid clicking on any links in email, unless the email
was already expected. Unsolicited e-mail should always be treated
with suspicion. Additional countermeasures for protecting Windows
systems can be found on the AusCERT web site [2].
Block the following URLs at your perimeter (changed to avoid
accidental clicking):
hxxp: // tiancha. co.kr
hxxp: // bluerain. co.kr
hxxp: // 81.95. 151.43
hxxp: // 58.65. 239.106/ au/ci/
If the latter two URLs appear in your access logs, this gives a strong
indication of infection on your network.
DETAILS:
The text of the "Hot Australian News" email is as per AL-2007.0026,
with the listed date now "March 11, 2007 08:56pm (AEDT)".
The text of the "Your new password" email is:
--------- SAMPLE EMAIL --------
Subject: Your new password
From: Z P*rnstars Support <[name]@zp*rnstars.us>
Dear Louise,
Thank you for your subscription to Z P*rnstars.
Your subscription number is 0107006601000011329
Please include your subscription number in all correspondence.
URL: [1]http://www.zp*rnstars.com/members/
Your username is: Mileref
Your password is: gere446
You have been billed as CCBILL Ltd. for the amount of $9.95 for 5 days
(trial) then $39.95 recurring every 30 days.
If you selected an automatically rebilled option your subscription will
automatically be renewed for your convenience until you cancel.
References
1. hxxp://tiancha. co.kr/
--------- END SAMPLE ---------
Anti-virus detection results according to virustotal.com on the
afternoon of 12 March 2007 were:
update.exe, initial infector:
AntiVir 7.3.1.41 03.11.2007 TR/Dldr.Zlob.bpw
Authentium 4.93.8 03.09.2007 no virus found
Avast 4.7.936.0 03.11.2007 no virus found
AVG 7.5.0.447 03.11.2007 no virus found
BitDefender 7.2 03.12.2007 Trojan.Zlob.AP
CAT-QuickHeal 9.00 03.10.2007 no virus found
ClamAV devel-20060426 03.12.2007 no virus found
DrWeb 4.33 03.11.2007 no virus found
eSafe 7.0.14.0 03.11.2007 no virus found
eTrust-Vet 30.6.3471 03.12.2007 no virus found
Ewido 4.0 03.11.2007 no virus found
FileAdvisor 1 03.12.2007 no virus found
Fortinet 2.85.0.0 03.12.2007 W32/Zlob.BPW!tr.dldr
F-Prot 4.3.1.45 03.09.2007 no virus found
F-Secure 6.70.13030.0 03.11.2007 Trojan-Downloader.Win32.Zlob.bpw
Ikarus T3.1.1.3 03.11.2007 no virus found
Kaspersky 4.0.2.24 03.12.2007 Trojan-Downloader.Win32.Zlob.bpw
McAfee 4981 03.09.2007 no virus found
Microsoft 1.2306 03.12.2007 TrojanDownloader:Win32/Agent.XC
NOD32v2 2107 03.11.2007 no virus found
Norman 5.80.02 03.10.2007 W32/Malware.LDH
Panda 9.0.0.4 03.12.2007 no virus found
Prevx1 V2 03.12.2007 PSW.Generic
Sophos 4.15.0 03.10.2007 Mal/Clagger-B
Sunbelt 2.2.907.0 03.10.2007 no virus found
Symantec 10 03.12.2007 no virus found
TheHacker 6.1.6.074 03.12.2007 no virus found
UNA 1.83 03.11.2007 no virus found
VBA32 3.11.2 03.10.2007 no virus found
VirusBuster 4.3.19:9 03.11.2007 no virus found
our_au.exe, secondary infection:
AntiVir 7.3.1.41 03.11.2007 HEUR/Malware
Authentium 4.93.8 03.09.2007 could be infected with an unknown virus
Avast 4.7.936.0 03.11.2007 Win32:Small-EDW
AVG 7.5.0.447 03.11.2007 PSW.Generic3.NTB
BitDefender 7.2 03.12.2007 Trojan.PWS.Pinch.A
CAT-QuickHeal 9.00 03.10.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 03.12.2007 no virus found
DrWeb 4.33 03.11.2007 Trojan.Packed.49
eSafe 7.0.14.0 03.11.2007 Win32.Polipos.sus
eTrust-Vet 30.6.3471 03.12.2007 no virus found
Ewido 4.0 03.11.2007 no virus found
FileAdvisor 1 03.12.2007 no virus found
Fortinet 2.85.0.0 03.12.2007 suspicious
F-Prot 4.3.1.45 03.09.2007 no virus found
F-Secure 6.70.13030.0 03.11.2007 Trojan-PSW.Win32.Small.bs
Ikarus T3.1.1.3 03.11.2007 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 03.12.2007 Trojan-PSW.Win32.Small.bs
McAfee 4981 03.09.2007 New Malware.aj
Microsoft 1.2306 03.12.2007 PWS:Win32/Agent.BC
NOD32v2 2107 03.11.2007 a variant of Win32/PSW.Small.NAF
Norman 5.80.02 03.10.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 03.12.2007 Suspicious file
Prevx1 V2 03.12.2007 Malware.Trojan.Backdoor.Gen
Sophos 4.15.0 03.10.2007 Mal/Behav-027
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.12.2007 no virus found
TheHacker 6.1.6.074 03.12.2007 no virus found
UNA 1.83 03.11.2007 Win32.virus
VBA32 3.11.2 03.10.2007 MalwareScope.Trojan-PSW.Pinch.1
VirusBuster 4.3.19:9 03.11.2007 Packed/Upack
REFERENCES:
[1] "Prime Minister heart attack" trojan
http://www.auscert.org.au/7314
[2] Protecting your computer from malicious code
http://www.auscert.org.au/3352
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRfX6Lyh9+71yA2DNAQKb+QP+PsxxpEFyffo9zmA0e2Pntw+Rer7QZmDQ
pavwQg+rYVjevL4mtKrKmZ0qSSluuLrCQhWvd9sxJU+tX2OyCNHXbVtfpcHzdj+k
r3gayE+agoFe/crYvMkRDdpuFLRt5EITnYIUlCiO17Bq2O0z5kSznZQrWqvwXs5m
2Depf178epA=
=vBY2
-----END PGP SIGNATURE-----
|