Monday, November 9, 2009

UPS Scam E-mail with Cutwail/Pandex Trojan Attachment

Quite similar to the recent DHL scam e-mail campaign, malicious e-mails have recently been circulating that claim to be from UPS (United Parcel Service of America) and use social engineering to trick users into opening an attachment.

Following is a sample e-mail:
From: "UPS Service" {fake address @ recipient's ISP or e-mail provider}
Subject: UPS Delivery Problem
Date: November 5, 2009
Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Attachment: (22,317 bytes)
If an unsuspecting individual opens the attachment, the malware copies itself with the file name "reader_s.exe" to the user's profile folder (e.g. C:\Documents and Settings\User\reader_s.exe) and to the system folder (e.g. C:\Windows\system32\reader_s.exe) and registers itself as a startup item in the registry.  It phones home to multiple IP addresses on port 80 (see a list below).

Initial detection of the malware was somewhat low; the earliest VirusTotal report I could find showed that 18 out of 40 major antivirus engines detected this threat (a good demonstration of why it's never a good idea to open a suspicious attachment; you can't count on your antivirus software to detect all malware, especially new samples).  The sample is currently detected by nearly all antivirus software.  Most of the following information is courtesy of VirusTotal:
File name: inv.exe (it has also been submitted to Prevx as reader_s.exe, winner.exe, photo.exe, etc.)
File size: 51200 bytes
MD5...: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1..: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731

37/40 detection rate as of 2009.11.09 10:26:55 (UTC)

Variously identified as: Backdoor.Small.CPDR, Backdoor.Small.zs, Backdoor.Win32.Small.51200.D, Backdoor.Win32.Small.zs, Backdoor/W32.Small.51200, Cutwail, Heur.Suspicious, High Risk Cloaked Malware, SHeur2.BPZQ, TR/Crypt.XPACK.Gen, Trj/Downloader.MDW, TROJ_AGENT.AWYQ, Troj/Agent-LNC, Trojan-Downloader.Win32.Small, Trojan:W32/Cutwail.CW, Trojan.Crypt.XPACK.Gen, Trojan.Cutwail.Z, Trojan.DownLoad.37236, Trojan.Downloader-81329, Trojan.Pandex, Trojan.Win32.Generic!SB.0, Trojan.Win32.Generic.51F056EF, Trojan.Win32.Malware.1, TrojanDownloader:Win32/Cutwail.gen!C, TrojanDownloader.Adload.gpa, W32/Cutwail.C!tr.dldr, W32/Smalltroj.UMSB, W32/Trojan3.BLY, Win32:Malware-gen, Win32/Cutwail.AVH, Win32/Wigon
ThreatExpert behavioral analysis:

Anubis behavioral analysis:

Prevx report which includes additional file names:

See also the Web of Trust (WOT) reports for several IPs to which this malware phones home (IP block owners in parenthesis): (China Unicom) (China Unicom) (Limestone Networks [Texas, USA]) (GoDaddy [Arizona, USA]) (The Planet [Texas, USA]) (China Unicom)  (China Unicom) (Chinanet) (China Unicom)

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)