<p><a href="http://wincert.net/wp-content/uploads/2015/01/security.jpg"><img class="alignnone size-full wp-image-564" src="http://wincert.net/wp-content/uploads/2015/01/security.jpg" alt="security box,secure,malware,virus,protection,messenger" width="720" height="340" /></a></p>
<p><span style="color: #008000;">Update: Upon our submission of this threat to Microsoft, they have confirmed that this threat is classified as the new variant of TrojanDownloader:Win32/Bredolab.AC. (check the rest of the article for more information)</span></p>
<p>I&#8217;ve received several suspicious e-mails in the last couple of days, so I&#8217;ve decided to check the contents of the attached .zip file and without a surprise, there was an .exe file in it.</p>
<p><!--more--></p>
<p>What is not good, is the fact that neither Microsoft Security Essentials antivirus nor Eset Nod32 wasn&#8217;t able to detect it once I&#8217;ve scanned the file.</p>
<p>At least Microsoft Outlook mail scanner marked this mail as spam. So I wasn&#8217;t entirely unprotected :)</p>
<p>The bogus message subject is something like this:</p>
<p><span style="color: #003366;">Subject: UPS Tracking Number 8279775.</span></p>
<p><span style="color: #993300;"><span style="color: #003366;">Sender: UPS Manager Ramona Mock</span> (<a href="mailto:parcel@ups.com">parcel@ups.com</a>)</span></p>
<p style="padding-left: 30px;"><em>Here&#8217;s the subject of the mail:</em></p>
<p style="padding-left: 30px;"><em>Dear customer! </em></p>
<p style="padding-left: 30px;"><em>The courier company was not able to deliver your parcel by your address.<br />
Cause: Error in shipping address. </em></p>
<p style="padding-left: 30px;"><em>You may pickup the parcel at our post office personaly!</em></p>
<p style="padding-left: 30px;"><em>Please attention!<br />
The shipping label is attached to this e-mail.<br />
Please print this label to get this package at our post office.</em></p>
<p style="padding-left: 30px;"><em>Please do not reply to this e-mail, it is an unmonitored mailbox.</em></p>
<p style="padding-left: 30px;"><em>Thank you.<br />
United Parcel Service.<br />
The attachment actually contains a virus which may infect the user&#8217;s computer. </em></p>
<p>When I googled for more information on this virus, I&#8217;ve found out that similar virus was released almost 2 years ago, so apparently this is a new variant of it, as AV scanners were unsuccessful in detecting the threat. So far I&#8217;ve tried to detect the threat using &#8216;only&#8217; Microsoft Security Essentials and Nod32 antivirus.</p>
<p>Here is the warning about UPS virus which was released about 18 months ago.</p>
<p style="padding-left: 30px;"><span style="color: #008000;">The newest virus circulating is the UPS/Fed Ex Delivery Failure. You will receive an email from UPS/Fed Ex Service along with a packet number.. It will say that they were unable to deliver a package sent to you on such-and-such a date. It then asks you to print out the invoice copy attached. DON&#8217;T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS! Pass this warning on to all your PC operators at work and home. This virus has caused Millions of dollars in damage in the past few days.</span></p>
<p><span style="color: #008000;"><span style="color: #333333;">I can&#8217;t be sure of what damage it can cause to your computer, but I guess it is variant of UPS trojan virus and I can only advise you upon receiving similar mail, to immediately delete it.</span></span></p>
<p><span style="color: #008000;"><span style="color: #333333;"><span style="color: #008000;">Update:</span> I have submitted suspicious file to the Microsoft Malware Protection Center (MMPC). I will update this article, as soon as I get more info on this.</span></span></p>
<p><span style="color: #008000;">Update #2: </span>I received a reply from Microsoft and they confirmed this threat this threat is classified as <span style="color: #993300;">TrojanDownloader:Win32/Bredolab.AC</span>. A downloader trojan accesses remote websites in an attempt to download and install malicious or potentially unwanted software.</p>
<p>According to Microsoft, this Trojan variant was discovered on Dec16, 2009, but this appears to be a new variant which is the reason why it wasn&#8217;t discovered by Anti-Virus scanners.</p>
<p>Important NOTE: Upon my submission of this threat to Microsoft, they have updated virus definitions as seen below:</p>
<p>Detection last updated:<br />
Definition: 1.71.2267.0<br />
Released: Jan 15, 2010</p>
<p>BUT, have in mind that if you&#8217;re using Microsoft Security Essentials, virus definitions might not be updated automatically. I adivise you to open the Microsoft Security Essentials, select the &#8216;update&#8217; tab and click on the &#8216;Update&#8217; button. You will now be protected.</p>
<p>Here is the screenshot of successful detection of this new threat</p>
<p><img class=" size-full wp-image-75" src="http://wincert.net/wp-content/uploads/2010/01/removing_bredolab.PNG" alt="" width="586" height="315" border="0" /></p>
<p>Anyway, let&#8217;s get on what this Trojan actually does on your PC.</p>
<p><strong>System changes</strong></p>
<p>The following system changes may indicate the presence of this malware:<br />
The presence of the following files:<br />
<span style="color: #003366;"><;system folder>;\digeste.dll<br />
<;system folder>;\digiwet.dll<br />
<;system folder>;\mcenspc.dll<br />
<;system folder>;\msansspc.dll<br />
%startup%\asgupd32.exe<br />
%startup%\dfqupd32.exe<br />
%startup%\dmaupd32.exe<br />
%startup%\fmnupd32.exe<br />
%startup%\ihaupd32.exe<br />
%startup%\imiupd32.exe<br />
%startup%\legupd32.exe<br />
%startup%\ppqupd32.exe<br />
%startup%\rqjupd32.exe<br />
%startup%\ikowin32.exe<br />
%startup%\wbhwin32.exe<br />
%startup%\hcgwin32.exe<br />
%startup%\fqosys32.exe<br />
%startup%\lecsys32.exe<br />
%startup%\necsys32.exe<br />
%startup%\rncsys32.exe<br />
%startup%\ysfsys32.exe<br />
%startup%\zqosys32.exe<br />
<;system folder>;\wbem\grpconv.exe<br />
%appdata%\wiaserva.log</span></p>
<p><strong>The presence of the following registry modifications:</strong><br />
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders<br />
Sets value: &#8220;SecurityProviders&#8221;<br />
With data: &#8220;msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll&#8221;</p>
<p><strong>Technical Information (Analysis)</strong><br />
Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.<br />
Installation</p>
<p>Win32/Bredolab has changed its method of installation over time. When older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:</p>
<p><span style="color: #993300;"><span style="color: #003366;"><;system folder>;\digeste.dll</span><br />
<span style="color: #003366;"><;system folder>;\digiwet.dll</span><br />
<span style="color: #003366;"><;system folder>;\mcenspc.dll</span><br />
<span style="color: #003366;"><;system folder>;\msansspc.dll</span><br />
</span><br />
The registry is then modified to ensure that the DLL is loaded. For example:<br />
To subkey: <span style="color: #003366;">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders</span><br />
Sets value: <span style="color: #993300;"><span style="color: #003366;">&#8220;SecurityProviders&#8221;</span><br />
</span>With data: <span style="color: #993300;"><span style="color: #003366;">&#8220;msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll&#8221;</span><br />
</span><br />
More recent variants of Win32/Bredolab copy themselves to the %startup% folder using one of the following variable filenames:</p>
<p><span style="color: #003366;">asgupd32.exe<br />
dfqupd32.exe<br />
dmaupd32.exe<br />
fmnupd32.exe<br />
ihaupd32.exe<br />
imiupd32.exe<br />
legupd32.exe<br />
ppqupd32.exe<br />
rqjupd32.exe<br />
ikowin32.exe<br />
wbhwin32.exe<br />
hcgwin32.exe<br />
fqosys32.exe<br />
lecsys32.exe<br />
necsys32.exe<br />
rncsys32.exe<br />
ysfsys32.exe<br />
zqosys32.exe</span></p>
<p>Or they may use the following location:</p>
<p><span style="color: #003366;"><;system folder>;\wbem\grpconv.exe</span></p>
<p><strong>Payload</strong></p>
<p>Downloads and executes arbitrary files<br />
Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed.</p>
<p>Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Binaries may be saved to the following location:</p>
<p><span style="color: #993300;"><span style="color: #003366;">%windir%\Temp\wpv[numbers].exe</span><br />
</span><br />
In the wild, Win32/Bredolab has been observed to contact the following control servers:<br />
58.65.235.41<br />
78.109.29.116<br />
78.109.29.112<br />
91.207.61.12<br />
213.155.4.82<br />
dollarpoint.ru<br />
imoviemax.ru<br />
mudstrang.ru<br />
vanni-van.cn<br />
gssmedia.cn<br />
www.qoeirq.com</p>
<p><strong>The following list details just a small selection of the malware known to be downloaded by variants of Win32/Bredolab:</strong><br />
Win32/Ambler<br />
Win32/Boaxxe<br />
Win32/Busky<br />
Win32/Cbeplay<br />
Win32/Cutwail<br />
Win32/Daurso<br />
Win32/FakeRean<br />
Win32/FakeSpypro<br />
Win32/Haxdoor<br />
Win32/Hiloti<br />
Win32/Insnot<br />
Win32/Koobface<br />
Win32/Momibot<br />
Win32/Oderoor<br />
Win32/Oficla<br />
Win32/Otlard<br />
Win32/Rlsloup<br />
Win32/Rustock<br />
Win32/Sinowal<br />
Win32/Tedroo<br />
Win32/Ursnif<br />
Win32/Vundo<br />
Win32/Waledac<br />
Win32/Wantvi<br />
Win32/Winwebsec<br />
Win32/Wopla<br />
Win32/Zbot</p>
<p><strong>Additional Information</strong></p>
<p>Some variants of Win32/Bredolab may create the following file during execution:<br />
%appdata%\wiaserva.log</p>
<p>You can also get more information on <a href="https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Bredolab" target="_blank">Microsoft Security Portal</a>.</p>