MxLab intercept a new spam mails that ask the recipient to confirm the order . The messages are sent in English or in the Dutch language. The email come with a link,each link leads to the file /downloads/Document.zip. Probably it contains a malware.
One of the spam mail:
One of the spam mail:
Gruss Gott, ****@****.nl.
Thank you for the order,
id: 862446.
Your credit card will be charged for 638 dollars.
Information about the order and delivery located at:
hxxp://www.shancommunity.org/downloads/Document.zip?Hashcliente=contact@robpeetoom.nl
____________________________
Best regards, ticket service.
Tel./Fax.: +31 (0)346 542 41 05
Trojan Infection:
The Trojan attempts to create the following file :
%AllUsersProfile%\Local Settings\Temp\d928fffd000226d7.exe
The following directories are created:
%AllUsersProfile%\Local Settings
%AllUsersProfile%\Local Settings\Temp
After the infection, Several Windows registry changes will be exectued and the Trojan can establish connection with the following IPs on port 80:
195.214.238.241
88.222.0.5
McAfee detects this Trojan as Generic FakeAlert.fz , Microsoft detect it as Worm:Win32/Gamarue.B
At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.