Fake Xerox WorkCentre Pro Scans Hide Trojan

Bookmark and Share

Ax3soft have intercepted a new spam campaign, it attempts to trick users into executing malicious files by claiming they are scanned documents. The email are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. An office print and scan center such as a Xerox machine sent a scanned document by email to a recipient. This kind of condition is really very common.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

It looks like that the true email template used by Xerox scanning devices was copied by the spammers and the listed file type only be modified by it. When Xerox WorkCentre Pro can send scanned documents through email, these are never sent in ZIP format. Reported by the Tech Herald


An executable file called Xerox_doc.exe will be showed while opening the file archive, it is a new variant of the Official Trojan. Trojans in the Official family of malware can work as botnet clients and are basically used as distribution platform for other menaces, such as adware or scareware.

The trojan also called Gen: Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

 

The files will be created as followings:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

Stop the Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe. Do not be cheated by it. The Windows Security Center Service is a bad service ,it can do nothing with the legitimate service Security Center from Windows.

It will execute a lot of Windows registry changes and the trojan establish connection with the following IPs on port 80

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

  • hxxp://www.kollo.ch/images/cgi.exe

  • hxxp://musiceng.ru/music/forum/index1.php

  •  hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1

  •  hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2  in time.