New trojan variant in mails with "Look my CV. Thank you!"

 

Bookmark and Share

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called  W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Create files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following url:

·         hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

·         hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

·         hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware  which called W32/Hiloti.I.gen!Eldorado (F-Prot),  Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

A new memory page is created in the address space of the system process:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2  in time.