Un nuevo mail que está recibiendose masivamente, anexa fichero "Invoice_03212014.zip" que contiene fichero malicioso EXE con icono de PDF, resulta ser un downloader que descarga SPYZBOT-Z con un driver que impide la eliminacion de dicho ZBOT, e incluso poder renombrarlo para dejarlo aparcado.
Tanto dicho driver como el malware ZBOT en cuestion, que se delata por provocar dobles acentos, y el BUBLIK que los descarga, pasan a ser controlados a partir del ElistarA 29.63 de hoy.
El preanalisis de virustotal ofrece este informe:
MD5 76229e27d6dbd8d636ee3863310b90df
SHA1 955f67f3cc0c306fb7df6142840a3ebe52611e1e
Tamaño del fichero 19.5 KB ( 19968 bytes )
SHA256: 7427f04562428c16251910957bfb9e9a717878630040b6a2796717908132d154
Nombre: Invoice_03212014.exe
Detecciones: 34 / 49
Fecha de análisis: 2014-03-24 10:33:13 UTC ( hace 0 minutos )
0 10
Antivirus Resultado Actualización
AVG Luhe.Fiha.A 20140324
Ad-Aware Trojan.GenericKD.1614009 20140324
Agnitum Trojan.DL.Waski! 20140323
AhnLab-V3 Trojan/Win32.Agent 20140323
AntiVir TR/ATRAPS.A.1574 20140324
Antiy-AVL Trojan/Win32.Bublik 20140324
Avast Win32:Trojan-gen 20140324
Baidu-International Trojan.Win32.Bublik.aM 20140324
BitDefender Trojan.GenericKD.1614009 20140324
CAT-QuickHeal Trojan.Bublik.cddf 20140324
Commtouch W32/Trojan.HZGK-9386 20140324
DrWeb Trojan.DownLoad3.28161 20140324
ESET-NOD32 Win32/TrojanDownloader.Waski.A 20140324
Emsisoft Trojan-Downloader.Win32.Waski (A) 20140324
F-Prot W32/Trojan3.HVQ 20140324
Fortinet W32/Bublik.CDDF!tr 20140324
GData Trojan.GenericKD.1614009 20140324
Ikarus Win32.Outbreak 20140324
Kaspersky Trojan.Win32.Bublik.cddf 20140324
Malwarebytes Trojan.Downloader.Upatre 20140324
McAfee Downloader-FSH!76229E27D6DB 20140324
McAfee-GW-Edition Downloader-FSH!76229E27D6DB 20140324
MicroWorld-eScan Trojan.GenericKD.1614009 20140324
Microsoft TrojanDownloader:Win32/Upatre.O 20140324
NANO-Antivirus Trojan.Win32.DownLoad3.cvrjcp 20140324
Norman Upatre.BD 20140324
Panda Generic Malware 20140323
Qihoo-360 Win32/Trojan.Downloader.e22 20140324
Sophos Mal/Upatre-A 20140324
Symantec Trojan.Zbot 20140324
TrendMicro TROJ_UPATRE.YYJW 20140324
TrendMicro-HouseCall TROJ_UPATRE.YYJW 20140324
VIPRE Trojan.Win32.Generic.pak!cobra 20140324
nProtect Trojan.GenericKD.1614009 20140323
Dicha version del ElistarA 29.63 que los detecta y elimina, estará disponible en nuestra web a partir de las 19 h CEST de hoy
___________
El mail en cuestión tiene esta apariencia:
MAIL MALICIOSO:
_______________
Asunto: Payment Overdue
De: "QuickBooks Invoice" <auto-invoice@quickbooks.com>
Fecha: 21/03/2014 18:12
Para: <destinatario>
Please find attached your invoices for the past months. Remit the payment by 03/23/2014 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Jean Marquez
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
ANEXO: "Invoice_03212014.zip"
______________________
FIN DEL MAIL MALICIOSO
saludos
ms, 24-3-2014
Tanto dicho driver como el malware ZBOT en cuestion, que se delata por provocar dobles acentos, y el BUBLIK que los descarga, pasan a ser controlados a partir del ElistarA 29.63 de hoy.
El preanalisis de virustotal ofrece este informe:
MD5 76229e27d6dbd8d636ee3863310b90df
SHA1 955f67f3cc0c306fb7df6142840a3ebe52611e1e
Tamaño del fichero 19.5 KB ( 19968 bytes )
SHA256: 7427f04562428c16251910957bfb9e9a717878630040b6a2796717908132d154
Nombre: Invoice_03212014.exe
Detecciones: 34 / 49
Fecha de análisis: 2014-03-24 10:33:13 UTC ( hace 0 minutos )
0 10
Antivirus Resultado Actualización
AVG Luhe.Fiha.A 20140324
Ad-Aware Trojan.GenericKD.1614009 20140324
Agnitum Trojan.DL.Waski! 20140323
AhnLab-V3 Trojan/Win32.Agent 20140323
AntiVir TR/ATRAPS.A.1574 20140324
Antiy-AVL Trojan/Win32.Bublik 20140324
Avast Win32:Trojan-gen 20140324
Baidu-International Trojan.Win32.Bublik.aM 20140324
BitDefender Trojan.GenericKD.1614009 20140324
CAT-QuickHeal Trojan.Bublik.cddf 20140324
Commtouch W32/Trojan.HZGK-9386 20140324
DrWeb Trojan.DownLoad3.28161 20140324
ESET-NOD32 Win32/TrojanDownloader.Waski.A 20140324
Emsisoft Trojan-Downloader.Win32.Waski (A) 20140324
F-Prot W32/Trojan3.HVQ 20140324
Fortinet W32/Bublik.CDDF!tr 20140324
GData Trojan.GenericKD.1614009 20140324
Ikarus Win32.Outbreak 20140324
Kaspersky Trojan.Win32.Bublik.cddf 20140324
Malwarebytes Trojan.Downloader.Upatre 20140324
McAfee Downloader-FSH!76229E27D6DB 20140324
McAfee-GW-Edition Downloader-FSH!76229E27D6DB 20140324
MicroWorld-eScan Trojan.GenericKD.1614009 20140324
Microsoft TrojanDownloader:Win32/Upatre.O 20140324
NANO-Antivirus Trojan.Win32.DownLoad3.cvrjcp 20140324
Norman Upatre.BD 20140324
Panda Generic Malware 20140323
Qihoo-360 Win32/Trojan.Downloader.e22 20140324
Sophos Mal/Upatre-A 20140324
Symantec Trojan.Zbot 20140324
TrendMicro TROJ_UPATRE.YYJW 20140324
TrendMicro-HouseCall TROJ_UPATRE.YYJW 20140324
VIPRE Trojan.Win32.Generic.pak!cobra 20140324
nProtect Trojan.GenericKD.1614009 20140323
Dicha version del ElistarA 29.63 que los detecta y elimina, estará disponible en nuestra web a partir de las 19 h CEST de hoy
___________
El mail en cuestión tiene esta apariencia:
MAIL MALICIOSO:
_______________
Asunto: Payment Overdue
De: "QuickBooks Invoice" <auto-invoice@quickbooks.com>
Fecha: 21/03/2014 18:12
Para: <destinatario>
Please find attached your invoices for the past months. Remit the payment by 03/23/2014 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Jean Marquez
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
ANEXO: "Invoice_03212014.zip"
______________________
FIN DEL MAIL MALICIOSO
saludos
ms, 24-3-2014