Ax3soft have intercepted a new spam campaign, it attempts to trick users into executing malicious files by claiming they are scanned documents. The email are sent from a spoofed email address and contains a subject in one of the following formats:
Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521
The email targets business users. An office print and scan center such as a Xerox machine sent a scanned document by email to a recipient. This kind of condition is really very common.
The body of the email:
Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461
For more information on Xerox products and solutions, please visit
http://www.xerox.com
It looks like that the true email template used by Xerox scanning devices was copied by the spammers and the listed file type only be modified by it. When Xerox WorkCentre Pro can send scanned documents through email, these are never sent in ZIP format. Reported by the Tech Herald
An executable file called Xerox_doc.exe will be showed while opening the file archive, it is a new variant of the Official Trojan. Trojans in the Official family of malware can work as botnet clients and are basically used as distribution platform for other menaces, such as adware or scareware.
The trojan also called Gen: Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).
The files will be created as followings:
%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe
The following directories are created:
%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP
Stop the Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe. Do not be cheated by it. The Windows Security Center Service is a bad service ,it can do nothing with the legitimate service Security Center from Windows.
It will execute a lot of Windows registry changes and the trojan establish connection with the following IPs on port 80
80.74.132.218
91.212.127.40
91.216.215.66
Data can be obtained from following URLs:
*
hxxp://www.kollo.ch/images/cgi.exe
*
hxxp://musiceng.ru/music/forum/index1.php
*
hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
*
hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1
At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.
We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.
没有评论:
发表评论