Sponsored by..

Wednesday, 8 August 2007

"Comcast Automated Systems" Trojan

A trojan embedded in a ZIP file this time. It's attempting to use a filename of statement.pdf[lots of spaces].exe


Subject: Important Notice-July 2007 Statement 0000000


PLEASE DO NOT REPLY TO THIS E-MAIL. THIS E-MAIL ADDRESS IS USED BY
COMCAST AUTOMATED SYSTEMS AND IS NOT MONITORED.

Your August 07, 2007 Bank billing statement is ready for viewing. To
view your bill download attached Adobe Acrobat PDF file.

If you would like to discontinue receiving a hard copy billing
statement in the mail, you may do so by selecting the UPDATE STATEMENT METHOD
link once you have logged into your account. From there, simply select
the option for Electronic Statement Only.

You received this e-mail because you enrolled Account feature.
If you no longer wish to receive these e-mails, you will
need to cancel your enrollment. To cancel your enrollment, please log
in to your account and from the Update Profile screen, select the cancel
link from the bottom of the page.

As far as we can tell, the filename enclosed in the ZIP file won't extract properly because there are too many spaces and the filename it too long, but the spammers will probably figure it out eventually.

If you're using Postini, then the attachment manager can be easily configured to block all .exe files, and this also applied to .exe-in-.zip files.

Detections are patchy with some AV products picking up the executable packer. When the .exe files run it will attempt to install other malware, some of which will be picked up by AV products. According to VirusTotal:


File statement.pdf____________________ received on 08.08.2007 17:44:19 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32007.8.3.02007.08.08-
AntiVir7.4.0.572007.08.08TR/Crypt.XPACK.Gen
Authentium4.93.82007.08.08-
Avast4.7.1029.02007.08.07-
AVG7.5.0.4762007.08.07-
BitDefender7.22007.08.08-
CAT-QuickHeal9.002007.08.08(Suspicious) - DNAScan
ClamAV0.912007.08.08-
DrWeb4.332007.08.08-
eSafe7.0.15.02007.07.31suspicious Trojan/Worm
eTrust-Vet31.1.50432007.08.08-
Ewido4.02007.08.08Downloader.Agent.bhl
FileAdvisor12007.08.08-
Fortinet2.91.0.02007.08.08-
F-Prot4.3.2.482007.08.08-
F-Secure6.70.13030.02007.08.08Trojan-Downloader.
Win32.Small.ehe
IkarusT3.1.1.122007.08.08-
Kaspersky4.0.2.242007.08.08Trojan-Downloader.
Win32.Small.ehe
McAfee50922007.08.07-
Microsoft1.27042007.08.08VirTool:Win32/Obfuscator.C
NOD32v224442007.08.08a variant of Win32/Spy.Nuklus
Norman5.80.022007.08.08-
Panda9.0.0.42007.08.08Suspicious file
Prevx1V22007.08.08-
Rising19.35.22.002007.08.08-
Sophos4.19.02007.08.01-
Sunbelt2.2.907.02007.08.07Infostealer.Nuklus
Symantec102007.08.08-
TheHacker6.1.7.1642007.08.08-
VBA323.12.2.22007.08.07Trojan-Spy.Win32.Small.gv
VirusBuster4.3.26:92007.08.08Trojan.DL.Small.Gen!Pac25
Webwasher-Gateway6.0.12007.08.08Trojan.Crypt.XPACK.Gen

Additional information
File size: 13824 bytes
MD5: 38ac63f8b7ef22d9a07138ba73de7178
SHA1: 6337e3178eba2859fd0e2e1188eab8b528696933
packers: UPack


-----

No comments: