Bogus efax E-Mails Spread Trojan
According to MX Lab the Internet security company, fresh contaminated e-mails have been found delivering a PC Trojan in the name of a fax document, which seems to be sent from the online fax facility 'eFax.'
The fake e-mails show the header "You've got fax" and the sender's address spoofed as firstname.lastname@example.org. Additionally, they carry the slogan and logo of eFax, while stating that there's an attached file containing the fax document.
The attachment is called "eFax39106.zip" while it carries a 40KB-sized executable file called efax871291.exe that's infected with a Trojan named TrojanDropper:Win 32/Oficla.T.
In case a user opens this attachment, twin malevolent files "%System%\fvfj.sxo" and "%Temp%\1.tmp" get planted on the contaminated PC. Besides, a registry entry is created that's named "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid" while another one named "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell =" is recreated.
Meanwhile, in spite of the small number of detections classifying the threat with generic names, still according to some other reports the malware is a variant of Oficla. This Trojan (Oficla) came into the scene only during 2010 early part and since then has been running strong.
Criminals use spam mails to disseminate Oficla, while spoofing established companies like DHL or other legitimate organizations as a way to hide the Trojan's real intent.
Moreover, Oficla is also utilized to disseminate other malware. Hence, when computer users get victimized with this Trojan, they contact multiple infections. These kinds of actions concentrate on pay-per-install operations that generate illicit income on a continuous basis and hence are very common among cyber-criminals.
The most disturbing aspect is that just 5 anti-virus engines out of the total 43 were able to spot the Trojan. Security firms BitDefender has named it Gen:Trojan.Heur.FU.cC0@a4DqMHii, Norman -W32/Obfuscated.BQ!genr and F-Prot - W32/Trojan3.BZM.
Advise the security specialists that users must wholly erase these e-mails in case they arrive in their inboxes. Actually, these are intimidating only when their .zip attachment is opened and the associated file executed, they say. Besides, users are also suggested that they must remain vigilant by carefully reading the messages and thinking judiciously prior to clicking on links, while necessarily deploy a legitimate anti-virus solution that's kept up-to-date.
Related article: Bugs Swell In Browsers in 2006
» SPAMfighter News - 25-09-2010