Date: 03 November 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1120
Fake Comcover emails claiming "Nonrefundable loan" contain
malicious attachments
4 November 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Fake Comcover Emails Contain Malicious Attachments
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
Member content until: Friday, December 4 2009
OVERVIEW
AusCERT has received reports, and has observed malicious emails
currently in circulation pretending to be from Comcover. The malicious
attachments currently have a very low detection rate among anti-virus
products.
IMPACT
AusCERT is in the process of analysing this trojan and has some limited
information at this time.
The attached document "support-form.doc" on the email contains an embedded
executable which attempts to contact a remote source.
Sophos has identified the attachment as Troj/Bifrose-ZB and has made the
following statements regarding it's impact:
"Troj/Bifrose-ZB attempts to connect to external websites, and may
cause Internet Explorer to crash. If BOPS is enabled, Buffer Overflow
warnings will be triggered.
Members of the Bifrose family typically create a backdoor on an
infected computer, allowing an attacker to connect to the computer
from the Internet." [1]
At time of writing only a very limited number of anti-virus products
detect the attachment as malicious. System administrators may wish to
check VirusTotal results to see if their anti-virus products detect
this threat. [2]
DETAILS
All of the reported and recieved emails to date have followed the
same format.
--- BEGIN EMAIL SAMPLE ---
From: "Comcover Gov" comcover@comcover.com.au
Subject: Nonrefundable loan approved for your company!
Dear Sir,
Comcover - Insurance Solutions, Risk Management Strategies from the
Better Australian Government Business, is contacting you to inform
you that you qualify for the $50,000.00 economical crisis support
for Australian privately-owned firms.
We are providing this support to help the economy grow and avoid
economic shrinking.
You do not need to pay anything upfront to receive the support
funds. This is a nonreturnable loan that we are glad we can provide
at this difficult time to you.
Please download and complete the form attached with the requested
information and send it back to us by FAX at 29700879 and in maximum
3 working days we will contact you with the details you need to
receive the support loan.
We are waiting for the completed form to be sent to us as soon as
possible.
Thank you, The Australian Government - Comcover - Insurance
Solutions, Risk Management Strategies
--- END EMAIL SAMPLE ---
The attached file details:
File name: support-form.doc MD5: 0aa09fd39fa6de972075c815333da9a4
SHA1: a6017cfa6abbefbb5211e9d2abf833fb66d06c0b
The analyis AusCERT has peformed so far indicates that it connects
to 190.120.238.32 on port 80 but the traffic performed is not a
standard HTTP requests.
The binary will copy itself as regscr32.exe to the system directory
(eg: C:\WINDOWS\system32\). It will also create the following
registery keys to point to this binary:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server Registry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Server Registry
An additional key is created:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath
Which will call the executable with an "s" option.
The dropped executable regscr32.exe has the following checksums:
MD5: e3f5a94e6431ad844724977ba391c0b7
SHA1: 12297a506ec58f6ef4c12b9337bdd70662e17c91
Analysis indicates that users running in a standard user or limited
user mode will likely be unaffected by this executable as it fails
to execute correctly.
System administrators may wish to consider monitoring their proxy
logs for access to this IP, or blocking it completely.
AusCERT will be looking to update this advisory with more
information as it becomes available.
REFERENCES
[1] Sophos - Troj/Bifrose-ZB
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbifrosezb.html
[2] VirusTotal results for support-form.doc
http://www.virustotal.com/analisis/87165035a4e4395700580d2c3e66824e30e6e210c9fb5062d61b9360de48f77c-1257295756
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFK8NhKNVH5XJJInbgRAm67AJ99s4HVvLN3n9t0eO8Bhvblo0JVzgCeNLew
L9Ar7+H1ld2k8CJHXthCnaQ=
=IUjg
-----END PGP SIGNATURE-----
|