NUEVO MAIL MASIVO CON FALSO REMITENTE DHL, QUE ANEXA FICHERO CON TROJAN PERSEUS, ALIAS FAREIT

Se está recibiendo masivamente un mail aparentando venir de DHL, anexando fichero ZIP que contiene un ejecutable con doble extensión, .DOC.EXE, que resulta ser uns nueva variante de troyano PERSEUS, alias FAREIT, que pasamos a controlar a partir del ELISTARA 33.85 de hoy.

MAIL MASIVO MALICIOSO ANEXA FICHERO VIRICO
__________________________________________
Asunto: DHL Failed Delivery Notification
De: “noreply@dhl.com”<hafiz.m.qaiser@dhl.com> (falso remitente)
Fecha: 26/01/2016 12:22
Para: undisclosed-recipients:; (lista oculta de direcciones)

Dear Customer,

We attempted to deliver your item at 8:10 AM on January 25th,2016. (Read enclosed file details)

The delivery attempt failed because nobody was present at the shipping address, so this notify has been automatically sent.

If the parcel is not scheduled for re-delivery or picked up within 72 hours, it will be returned to the sender.

Label Number: DHL733918737AA

Expected Delivery Date January 25th , 2016

Class: Package Services

Service(s): Delivery Confirmation

Status: eNotification sent

Read the enclosed file for details.

DHL Customer Service.

2016 © DHL International GmbH. All rights reserved.

———————————————————————-

This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

anexado:Delivery Note – AWD 4655822861- 20160117-Microsoft Office Document(2)_doc.zip

contiene: Delivery Note – AWD 4655822861- 20160117-Microsoft Office Documen…DOC.EXE

_________________

FIN MAIL MALICIOSO

El preanalisis de virustotal ofrece el siguiente informe:

MD5 6d3dd0c444ab98bb7f982963e918a94c
SHA1 900ff6931571b4f8a6c62b7cb59bf6b60f4bc93e
Tamaño del fichero 154.0 KB ( 157696 bytes )
SHA256: 8f3b22275dc1b59e2945e02cb33fe381b46316bf1a1dbb587d7a0889a8864935
Nombre: Delivery Note – AWD 4655822861- 20160117-Microsoft Office Documen…
Detecciones: 38 / 53
Fecha de análisis: 2016-02-01 07:47:30 UTC ( hace 34 minutos )
0 1
Antivirus Resultado Actualización
ALYac Trojan.GenericKD.3011949 20160130
AVG MSIL9.BNCH 20160130
Ad-Aware Trojan.GenericKD.3011949 20160130
AegisLab Uds.Dangerousobject.Multi!c 20160130
Agnitum Trojan.PWS.Fareit!PbQBdccamYg 20160129
AhnLab-V3 Trojan/Win32.MDA 20160129
Antiy-AVL Trojan[PSW]/Win32.Fareit 20160130
Arcabit Trojan.Generic.D2DF56D 20160130
Avast Win32:Trojan-gen 20160130
Avira TR/Dropper.MSIL.250928 20160130
BitDefender Trojan.GenericKD.3011949 20160130
Cyren W32/MSIL_Injector.BF.gen!Eldorado 20160201
DrWeb Trojan.PWS.Multi.911 20160201
ESET-NOD32 a variant of MSIL/Injector.NUA 20160130
Emsisoft Trojan.GenericKD.3011949 (B) 20160201
F-Prot W32/MSIL_Injector.BF.gen!Eldorado 20160129
F-Secure Trojan.GenericKD.3011949 20160129
Fortinet MSIL/Injector.NLR!tr 20160201
GData Trojan.GenericKD.3011949 20160130
Ikarus Trojan.MSIL.Inject 20160129
Jiangmin Trojan.PSW.Fareit.bgl 20160129
K7AntiVirus Trojan ( 004dcac71 ) 20160129
K7GW Trojan ( 004dcac71 ) 20160129
Kaspersky Trojan-PSW.Win32.Fareit.bmdb 20160129
McAfee RDN/Spybot.bfr 20160130
McAfee-GW-Edition BehavesLike.Win32.Backdoor.ch 20160130
MicroWorld-eScan Trojan.GenericKD.3011949 20160130
Microsoft PWS:Win32/Fareit 20160130
NANO-Antivirus Trojan.Win32.Multi.dzvvde 20160130
Panda Trj/GdSda.A 20160129
Qihoo-360 HEUR/QVM03.0.Malware.Gen 20160201
Sophos Mal/MSIL-OM 20160130
Symantec Suspicious.Cloud.9 20160129
Tencent Win32.Trojan-qqpass.Qqrob.Wptt 20160201
TrendMicro TROJ_MOSERAN.BMC 20160130
TrendMicro-HouseCall TROJ_MOSERAN.BMC 20160130
VIPRE Trojan.Win32.Generic!BT 20160130
nProtect Trojan.GenericKD.3011949 20160129

Debe tenerse en cuenta que, por defecto, WIndows no muestra extensiones, salvo que se configure a tal efecto, viendo que el fichero ZIP contiene un ejecutable de doble extension, .DOC.EXE, siendo, la última extension la que se ejecuta.

Dicha versión del ELISTARA 33.85 que lo detecta y elimina, estará disponible en nuestra web a partir de las 18 h CEST de hoy

saludos

ms, 1-2-2016