A new trojan attached to emails with the subject “You’ve got a fax” were intercepted by Ax3soft. The body of the email contains attached a ZIP file and an embedded JPEG file.
It looks like it is sent from the online service eFax (http://www.efax.com) but it’s not. The email are sent from a spoofed address efax@efax.com.
The ZIP file has the name eFax83243DOC.zip and it contains the 40 kB large file efax97901DOC.exe – please note that the numbers may vary.
The trojan is known as Trojan.Generic.KDV.37882 (BitDefender), W32/Trojan3.BZW (F-Prot), Troj/Agent-OSI (Sophos) or Trojan-Downloader:W32/Agent.DMWG (F-Secure).
Create files as followings:
%Temp%\1.tmp
%System%\hyli.igo
Created the registry key as following :
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
The following registry key is modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =
How-to's
1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.
Appendix:
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm
If you want to unsubscribe, please click here.