Scan de nnn or Scan de [your domain] - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake French language scan-to-email-style email claims to be from a Xerox in your domain and having an attached pdf.

Attached zip contains an exe virus or trojan horse.

Spoofs recipient domain in From headers.


Subject:  Scan de 0284358 

Scan de 0284358
Format de fichier: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Le fichier joint est une image numerisee au format PDF. Utilisez Acrobat(R)Reader(R)
ou Adobe(R)Reader(R) d'Adobe
Systems Incorporated pour visualiser le document. Il est possible de telecharger
Adobe(R)Reader(R) de l'adresse suivante:
Adobe, le logo Adobe, Acrobat, le logo Adobe PDF et Reader sont des marques
deposees ou des marques commerciales
d'Adobe Systems Incorporated aux Etas-Unis et dans les autres pays.
http://www.adobe.com/

Scan_002_07032014_001.zip (9)

Some versions mention your domain :

Scan de [recipient domain]
Format de fichier: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Google Translated French to English

Scan 0284358
File Format: PDF MMR (G4)
Resolution: 200dpi x 200dpi

The attached file is a scanned image in PDF format. Use Acrobat (R) Reader (R)
or Adobe (R) Reader (R) Adobe
Systems Incorporated to view the document. It is possible to download
Adobe (R) Reader (R) to the following address:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered
filed or registered trademarks
Adobe Systems Incorporated in the United States and other countries.

Header Examples:

Spoofs recipient domain or your domain in From headers and something random in Envelope.

Received: from XFGAJPOQ ([203.156.91.156]
X-Envelope-From: croonkl80 @redvips.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0670566

Received: from 124-11-194-131.static.tfn.net.tw [124.11.194.131]
X-Envelope-From: livingqsp50 @retailcanada.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0284358

Received: from d5152F222.static.telenet.be [81.82.242.34]
X-Envelope-From: regardlesszhzn27 @repairclinic.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0084339

Received: from 105-236-186-188.access.mtnbusiness.co.za [105.236.186.188]
X-Envelope-From: uncontrollablyv @robbiewilliams.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de [your domain]

Received: from triband-mum-59.182.133.115.mtnl.net.in [59.182.133.115]
X-Envelope-From: rationalizingpu74 @royalscotsclub.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de 9930377

Received: from 71.Red-80-38-203.staticIP.rima-tde.net [80.38.203.71]
X-Envelope-From: warwick303 @resindistributors.com
From: "Xerox" <scan @[your domain]>
Subject: Scan de [your domain]

ttachment Samples:

Scan_002_07032014_001.zip containing Scan_002_07032014_001.exe

VirusTotal report 

AntiVir 	TR/Yarwi.A.26 	
Avast Win32:Malware-gen
CMC Packed.Win32.Katusha.3!O
Commtouch W32/Trojan.LNWL-1471
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Ikarus Trojan-Spy.Zbot
Qihoo-360 HEUR/Malware.QVM20.Gen
Rising PE:Malware.XPACK/RDM!5.1

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:5747, 0.0.0.0:4751
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
Generates some ICMP traffic
HTTP downloads : shashe.net /images /0703UKp.wix

File-Analyzer.net report

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\true_updater.exe
Binary may include packed or encrypted data
PE sections with suspicious entropy found
Creates guard pages, often used to prevent reverse engineering and debugging

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity