Emails regarding an attached resume contains a trojan

Bookmark and Share

1. Overview

A new trojan distribution campaign by email regarding a resume were intercepted by Ax3soft, the following subjects are possible:

1. Resume attached.

2. please find enclosed.
3. Please find attached.

4. Attached please find.
5. Here’s the file you wanted.
6. I have attached the resume.

7. The new resume is attached

8. The resume document is attached

9. Please find my CV and cover letter attached.
10. You will find the resume attached to this email.

11. Please find attached my CV for your attention.

12. I’ve attched..I’m encoding..the latest figures for you.

13. Replace the old resume with the new one which is attached.

The email is send from the spoofed address and has the following body:

Attached please find.

Please take a look at the attached resume.

Resume attached

Replace the old resume with the new one which is attached

Please find my attached CV for your attention

Please review the attached resume.

You will find the resume attached to this e-mail.

The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe.

The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32).

Create files as followings:

%CommonFavorites%\_favdata.dat
%Temp%\TMP35073.tmp
%Temp%\TMP35042.tmp
%Temp%\TMP34714.tmp
 

Created the registry key as following :

  • [HKEY_CURRENT_USER\Printers\Connections]
    • affid = “396″
    • subid = “landing”

The following internet connections wil lbe established on port 80:

www.searchashamed.org

mediafullups.com
 

Two files will be downloaded from /a/ad that contains a malicious payload and here are the details.

The first file is known as Mal/EncPk-LZ (Sophos):

  • Create files as followings:

%Temp%\dfrgsnapnt.exe
%Temp%\eapp32hst.dll
%Temp%\topwesitjh
%Temp%\wscsvc32.exe

  • The following processed will be created or are affected:

dfrgsnapnt.exe
wscsvc32.exe

Several registry modifications will be done and the following URLs are used:

  • http://finderwid.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
  • http://searchashamed.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
  • http://mediafullunu.com/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
  • http://searchashamed.org/any3/5-direct.ex
  • http://finderwid.org/any3/5-direct.ex
  • http://mediafullunu.com/any3/5-direct.ex

The second file is known as Trojan.FakeAV!gen31 (Symantec), Trojan.Win32.TDSS.beea (Kaspersky), Application.RogueAVPacker (PCTools).

  • Create files as followings:

%Temp%\PRAGMA7e53.tmp
%Temp%\PRAGMAab00.tmp
%Windir%\PRAGMAvgobwwkuyu\PRAGMAc.dll
%Windir%\PRAGMAvgobwwkuyu\PRAGMAcfg.ini
%Windir%\PRAGMAvgobwwkuyu\PRAGMAd.sys
%Windir%\PRAGMAvgobwwkuyu\PRAGMAsrcr.dat

  • Create directory as followings:

%Windir%\PRAGMAvgobwwkuyu

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Preferences
    • HKEY_CURRENT_USER\Software\Classes\.exe
    • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
    • HKEY_CURRENT_USER\Software\Classes\secfile
    • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
    • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA
    • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector
    • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE]
      • f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
      • DisableTaskMgr = 0x00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups]
      • ConvertedToLinks = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "PRAGMAibadstidxb"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000]
      • Service = "PRAGMAibadstidxb"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "PRAGMAibadstidxb"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "PRAGMAibadstidxb"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000]
      • Service = "PRAGMAibadstidxb"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "PRAGMAibadstidxb"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB]
      • NextInstance = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression]
      • svchost.exe = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      • ProxyEnable = 0x00000000
    • [HKEY_CURRENT_USER\Printers\Connections]
      • time = 0x00000001
    • [HKEY_CURRENT_USER\Software]
      • 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""
      • 7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • DisableTaskMgr = 0x00000001

      to prevent users from starting Task Manager (Taskmgr.exe)
       
    • [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
      • (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command]
      • (Default) = ""%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command]
      • (Default) = ""%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon]
      • (Default) = "%1"
    • [HKEY_CURRENT_USER\Software\Classes\.exe]
      • (Default) = "secfile"
      • Content Type = "application/x-msdownload"
    • [HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
      • (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command]
      • (Default) = ""%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command]
      • (Default) = ""%1" %*"
      • IsolatedCommand = ""%1" %*"
    • [HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon]
      • (Default) = "%1"
    • [HKEY_CURRENT_USER\Software\Classes\secfile]
      • (Default) = "Application"
      • Content Type = "application/x-msdownload"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions]
      • /css/pragma/crcmds/install = "3.0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector]
      • explorer.exe = "pragmaserf"
      • iexplore.exe = "pragmaserf;pragmabbr"
      • firefox.exe = "pragmabbr"
      • safari.exe = "pragmabbr"
      • chrome.exe = "pragmabbr"
      • opera.exe = "pragmabbr"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]
      • affid = "391"
      • type = "no"
      • build = "no"
      • subid = "direct"
      • cmddelay = 0x00015180
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules]
      • PRAGMAd = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys"
      • PRAGMAc = "\systemroot\PRAGMAibadstidxb\PRAGMAc.dll"
      • pragmaserf = "pragmaserf"
      • pragmabbr = "pragmabbr"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb]
      • start = 0x00000001
      • type = 0x00000001
      • imagepath = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys"
  • The following Registry Values were modified:
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
      • (Default) =
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
      • (Default) =
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      • Cache =

 

  • There were registered attempts to establish connection with the remote hosts. The connection details are:

 

Remote Host Port Number
62.122.73.242 80
91.213.157.69 80
91.213.157.72 80
  • The data identified by the following URLs was then requested from the remote web server:
    • http://searchdisup.org/css/pragma/knock.php
    • http://finderwid.org/readdatagateway.php?type=stats&affid=391&subid=new02&version=4.0&adwareok
    • http://finderwid.org/any/391-direct.ex
    • http://finderunt.org/css/pragma/crcmds/main
    • http://finderunt.org/css/pragma/knock.php
    • http://finderunt.org/css/pragma/srcr.dat
    • http://finderunt.org/css/pragma/crcmds/install
    • http://finderunt.org/css/pragma/crfiles/serf
    • http://finderunt.org/css/pragma/crfiles/bbr

 

2. How-to's

1. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.  

2. How to Remove TR.Crypt.ZPACK.Gen Manually?

  •  Remove the registry entries hidden by TR.Crypt.ZPACK.Gen (Free online spyware scan)

    If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
    HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
    HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
    Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup
  • It is possibly a way to load the "TR.Crypt.ZPACK.Gen" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
  • Clean up “IE Temporary File folder” where the original carrier of spyware threats is likely stored.
     

3. How to Remove Trojan.FakeAV!gen31 Manually?

  •  Remove the registry entries hidden by Trojan.Win32.Tdss.beea

If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup

  •  It is possibly a way to load the "Trojan.Win32.Tdss.beea" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
  • Clean up “IE Temporary File folder” where the original carrier of spyware threats is likely stored.

 

4. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm