New trojan with "You’ve got a fax" emails

A new trojan attached to emails with the subject “You’ve got a fax” were intercepted by Ax3soft. The body of the email contains attached a ZIP file and an embedded JPEG file.

It looks like it is sent from the online service eFax (http://www.efax.com) but it’s not. The email are sent from a spoofed address efax@efax.com.

The ZIP file has the name eFax83243DOC.zip and it contains the 40 kB large file efax97901DOC.exe – please note that the numbers may vary.

The trojan is known as Trojan.Generic.KDV.37882 (BitDefender), W32/Trojan3.BZW (F-Prot), Troj/Agent-OSI (Sophos) or Trojan-Downloader:W32/Agent.DMWG (F-Secure).

Create files as followings:

%Temp%\1.tmp
%System%\hyli.igo

Created the registry key as following :

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Appendix:

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

If you want to unsubscribe, please click here.

New Oficla trojan in emails with subject "Your facebook password has been changed"

A new trojan distribution campaign by email were intercepted by Ax3soft, the subject of this email may be "Facebook password details changed!", "Facebook password has been changed!" or "Facebook Password Reset Confirmation!".

The email is send from the some spoofed address, for example: “information@facebook.com”, "lhofmeis@facebook.com", "clinkard@facebook.com", "freshlix@facebook.com", "germanzetti@facebook.com", "blueyescc@facebook.com" or "stiftungen@facebook.com".

The body of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The attachedZIP file has the name Facebook_document.zip and contains the 36 kB large file Facebook_document.exe.

The trojan is known as Win32/Oficla.II (NOD), Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32:Trojan-gen (Avast).

Create files as followings:

%Temp%\1.tmp
%System%\fvfj.sxo

Created the registry key as following :

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Appendix:

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm