|
|||||||||||
|
|
News & Press releases
| Press releases & general news | |
 |
Press & Company News |
|
General news |
|
In the press |
UPS Tracking number trojan - new variant
22 July 2008
Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.
The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.
The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.
Antivirus Version Last Update Result AhnLab-V3 2008.7.21.1 2008.07.21 - AntiVir 7.8.1.11 2008.07.21 - Authentium 5.1.0.4 2008.07.21 - Avast 4.8.1195.0 2008.07.21 - AVG 8.0.0.130 2008.07.21 - BitDefender 7.2 2008.07.21 - CAT-QuickHeal 9.50 2008.07.21 - ClamAV 0.93.1 2008.07.21 - DrWeb 4.44.0.09170 2008.07.21 - eSafe 7.0.17.0 2008.07.21 Suspicious File eTrust-Vet 31.6.5971 2008.07.21 - Ewido 4.0 2008.07.21 - F-Prot 4.4.4.56 2008.07.21 - F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini Fortinet 3.14.0.0 2008.07.21 - GData 2.0.7306.1023 2008.07.21 - Ikarus T3.1.1.34.0 2008.07.21 - Kaspersky 7.0.0.125 2008.07.21 - McAfee 5343 2008.07.21 - Microsoft 1.3704 2008.07.22 - NOD32v2 3284 2008.07.21 - Norman 5.80.02 2008.07.21 - Panda 9.0.0.4 2008.07.21 - PCTools 4.4.2.0 2008.07.21 - Prevx1 V2 2008.07.22 - Rising 20.54.02.00 2008.07.21 - Sophos 4.31.0 2008.07.21 - Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.21 - TheHacker 6.2.96.385 2008.07.20 - TrendMicro 8.700.0.1004 2008.07.21 - VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2 VirusBuster 4.5.11.0 2008.07.21 - Webwasher-Gateway 6.6.2 2008.07.21 -
The file contains threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access
On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.
It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.