Bredolab Trojan Creating New Nuisance on Internet
As per the news published by SOFTPEDIA on May 17, 2010, security experts have detected fake e-mails that claim to be order confirmation messages sent by Amazon. The archive attached with the e-mail contains a malevolent executable file that drops a fresh version of malware belonging to the Bredolab Trojan family.
E-mail security provider MX Lab stated that the subjects in these malicious e-mails say "Your order has been paid! Parcel NR:58588-691". These e-mails seem to be originating from a fake address "firstname.lastname@example.org", and signed by Vaughn Montes, a so-called Amazon employee.
The message thanks the recipient for purchasing at Amazon.com. It further informs the recipient that they have received the payment and their order has been dispatched to their billing address. It is highlighted in the e-mail that the order has been placed for 'Sony Bravia S1452' and that the recipient's tracking number is attached to the e-mail. Then the user is advised to get print of the postal label so as to get the delivery of their order.
According to security experts, fraudsters have used a simple methodology in this scam. They seem to verify an order, usually for a high-priced item, and in the process trying to increase the recipient's curiosity to the maximum extent so as to persuade them to open the attachment.
Security firm Webroot claims that a zip file is attached to the e-mail, which when opened is found to contain a Microsoft Word document. Actually, that Word document is a Trojan, which upon activation could facilitate the downloading and execution of additional malware that could potentially damage the PC.
Moreover, the executable file could install a new variant of Bredolab, which only nine from 41 anti-virus products on VirusTotal could detect so far.
It is noteworthy that Bredolab, in this particular case, served as a platform to distribute malware. After infecting a PC, Bredolab asks a command and control server that is hosted on a .ru domain. It is this server from where Bredolab receives instructions for downloading and running a bot.exe file.
Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado(F-Prot), W32/VBcrypt.E.gen!Eldorado (Eldorado) and Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition) are some other names by which the Trojan is known.
Related article: Bredolab Trojan Distributed via Bogus Shipment E-mails
» SPAMfighter News - 27-05-2010