copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
By Operating...
»
Windows (all)
» AL-2007.0033 -- [Win] -- "Your new password" and "Ho...
AL-2007.0033 -- [Win] -- "Your new password" and "Hot Australian News" trojan emails
Date:
13 March 2007
References
:
AL-2007.0026
AL-2007.0026
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2007.0033 -- AUSCERT ALERT [Win] "Your new password" and "Hot Australian News" trojan emails 13 March 2007 =========================================================================== AusCERT Alert Summary --------------------- Operating System: Windows Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated Member content until: Tuesday, April 10 2007 Ref: AL-2007.0026 Comment: Please note, some words have had characters replaced with '*' to avoid email filtering. OVERVIEW: AusCERT has observed recent email activity containing malicious links. One of these emails is very similar in form to the "Prime Minister heart attack" described in AL-2007.0026 [1], but now contains a subject line of "Hot Australian News". The other contains a subject of "Your new password", and is a fraudulent credit card receipt appearing to be from a p*rn*graphic website. IMPACT: A user visiting the links contained in these emails is potentially vulnerable to infection from a credential stealing program. Initial analysis indicates that this malware uses rootkit-style stealthing to hide itself on the system. MITIGATION: Users should avoid clicking on any links in email, unless the email was already expected. Unsolicited e-mail should always be treated with suspicion. Additional countermeasures for protecting Windows systems can be found on the AusCERT web site [2]. Block the following URLs at your perimeter (changed to avoid accidental clicking): hxxp: // tiancha. co.kr hxxp: // bluerain. co.kr hxxp: // 81.95. 151.43 hxxp: // 58.65. 239.106/ au/ci/ If the latter two URLs appear in your access logs, this gives a strong indication of infection on your network. DETAILS: The text of the "Hot Australian News" email is as per AL-2007.0026, with the listed date now "March 11, 2007 08:56pm (AEDT)". The text of the "Your new password" email is: --------- SAMPLE EMAIL -------- Subject: Your new password From: Z P*rnstars Support <[name]@zp*rnstars.us> Dear Louise, Thank you for your subscription to Z P*rnstars. Your subscription number is 0107006601000011329 Please include your subscription number in all correspondence. URL: [1]http://www.zp*rnstars.com/members/ Your username is: Mileref Your password is: gere446 You have been billed as CCBILL Ltd. for the amount of $9.95 for 5 days (trial) then $39.95 recurring every 30 days. If you selected an automatically rebilled option your subscription will automatically be renewed for your convenience until you cancel. References 1. hxxp://tiancha. co.kr/ --------- END SAMPLE --------- Anti-virus detection results according to virustotal.com on the afternoon of 12 March 2007 were: update.exe, initial infector: AntiVir 7.3.1.41 03.11.2007 TR/Dldr.Zlob.bpw Authentium 4.93.8 03.09.2007 no virus found Avast 4.7.936.0 03.11.2007 no virus found AVG 7.5.0.447 03.11.2007 no virus found BitDefender 7.2 03.12.2007 Trojan.Zlob.AP CAT-QuickHeal 9.00 03.10.2007 no virus found ClamAV devel-20060426 03.12.2007 no virus found DrWeb 4.33 03.11.2007 no virus found eSafe 7.0.14.0 03.11.2007 no virus found eTrust-Vet 30.6.3471 03.12.2007 no virus found Ewido 4.0 03.11.2007 no virus found FileAdvisor 1 03.12.2007 no virus found Fortinet 2.85.0.0 03.12.2007 W32/Zlob.BPW!tr.dldr F-Prot 4.3.1.45 03.09.2007 no virus found F-Secure 6.70.13030.0 03.11.2007 Trojan-Downloader.Win32.Zlob.bpw Ikarus T3.1.1.3 03.11.2007 no virus found Kaspersky 4.0.2.24 03.12.2007 Trojan-Downloader.Win32.Zlob.bpw McAfee 4981 03.09.2007 no virus found Microsoft 1.2306 03.12.2007 TrojanDownloader:Win32/Agent.XC NOD32v2 2107 03.11.2007 no virus found Norman 5.80.02 03.10.2007 W32/Malware.LDH Panda 9.0.0.4 03.12.2007 no virus found Prevx1 V2 03.12.2007 PSW.Generic Sophos 4.15.0 03.10.2007 Mal/Clagger-B Sunbelt 2.2.907.0 03.10.2007 no virus found Symantec 10 03.12.2007 no virus found TheHacker 6.1.6.074 03.12.2007 no virus found UNA 1.83 03.11.2007 no virus found VBA32 3.11.2 03.10.2007 no virus found VirusBuster 4.3.19:9 03.11.2007 no virus found our_au.exe, secondary infection: AntiVir 7.3.1.41 03.11.2007 HEUR/Malware Authentium 4.93.8 03.09.2007 could be infected with an unknown virus Avast 4.7.936.0 03.11.2007 Win32:Small-EDW AVG 7.5.0.447 03.11.2007 PSW.Generic3.NTB BitDefender 7.2 03.12.2007 Trojan.PWS.Pinch.A CAT-QuickHeal 9.00 03.10.2007 (Suspicious) - DNAScan ClamAV devel-20060426 03.12.2007 no virus found DrWeb 4.33 03.11.2007 Trojan.Packed.49 eSafe 7.0.14.0 03.11.2007 Win32.Polipos.sus eTrust-Vet 30.6.3471 03.12.2007 no virus found Ewido 4.0 03.11.2007 no virus found FileAdvisor 1 03.12.2007 no virus found Fortinet 2.85.0.0 03.12.2007 suspicious F-Prot 4.3.1.45 03.09.2007 no virus found F-Secure 6.70.13030.0 03.11.2007 Trojan-PSW.Win32.Small.bs Ikarus T3.1.1.3 03.11.2007 Trojan-Downloader.Win32.Zlob.and Kaspersky 4.0.2.24 03.12.2007 Trojan-PSW.Win32.Small.bs McAfee 4981 03.09.2007 New Malware.aj Microsoft 1.2306 03.12.2007 PWS:Win32/Agent.BC NOD32v2 2107 03.11.2007 a variant of Win32/PSW.Small.NAF Norman 5.80.02 03.10.2007 W32/Suspicious_U.gen Panda 9.0.0.4 03.12.2007 Suspicious file Prevx1 V2 03.12.2007 Malware.Trojan.Backdoor.Gen Sophos 4.15.0 03.10.2007 Mal/Behav-027 Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious Symantec 10 03.12.2007 no virus found TheHacker 6.1.6.074 03.12.2007 no virus found UNA 1.83 03.11.2007 Win32.virus VBA32 3.11.2 03.10.2007 MalwareScope.Trojan-PSW.Pinch.1 VirusBuster 4.3.19:9 03.11.2007 Packed/Upack REFERENCES: [1] "Prime Minister heart attack" trojan http://www.auscert.org.au/7314 [2] Protecting your computer from malicious code http://www.auscert.org.au/3352 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRfX6Lyh9+71yA2DNAQKb+QP+PsxxpEFyffo9zmA0e2Pntw+Rer7QZmDQ pavwQg+rYVjevL4mtKrKmZ0qSSluuLrCQhWvd9sxJU+tX2OyCNHXbVtfpcHzdj+k r3gayE+agoFe/crYvMkRDdpuFLRt5EITnYIUlCiO17Bq2O0z5kSznZQrWqvwXs5m 2Depf178epA= =vBY2 -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=21&it=7375