Emails with the subject "UPS INVOICE NR9094991" and "Delivery Problem NR2204780" contains trojan

Ax3soft noted the highest virus detection rate from these months, which owes to the combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR2204780″

The similar subjects are (the numbers are choosed randomly):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The zip archive upsinvoice3325037.zip is contained in the email and it is available to extract the file UPSINVIOCE.exe which has 36 kB capacity.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

Creat files as followings:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

Load the following modules into the address space of other processes:

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

the trojan tries to establish a remote connection with IPs on port 80 as followings:

85.87.17.230
89.149.202.142
95.211.27.238

Download data from the following hosts:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

If you want to unsubscribe, please click here.