In the last weeks German email receivers were forced to train anti social engineering skills.

In the first days of 2007 the German speaking area was flooded with emails that aim to be bills from 1&1 provider. Later on the requests for payment were sent in connection with social engineering related to other typical German payments like GEZ (government TV tax) or simply online orders.

Anybody that cares about email security may think that the receivers are slowly getting used to such emails (payment request with the invoice attached as Rechnung.pdf.exe or simply Rechnung.exe). But it seems that the Trojan spammers are still persevering and exercising their social engineering to trick the users to run a program with spying capabilities and therefore reveal sensitive information like their bank account data to criminals. The first step into the systems is realised using social engineering techniques.

German Ebay marketplace customers may be slightly confused today (Monday 29th). This new email is not related to the payment request. It says that the direct debit couldnt be done. The main message is that the usual balance failed and it asks the user to double check the account data. The information how to do this is correct and relates to real Ebay web site.

The email body is not dangerous at all. It includes some valid Ebay URLs and hints to the attached list of the transactions for those the user have to pay an amount of 426.96 Euro, which in fact is the malicious code.

The second new part of this email is the behaviour of the attached file (E260883905016 Rechnung.pdf.exe), when it shows a real document.

On execution the file drops another executable file in %UserTemp%. This file attempts to connect to the Internet and downloads other components. It’s not new that files are dropped and run in the background and therefore the user doesn’t notice the dropped files (vapo3.exe, win.exe, ipv6monl.dll and others).

To hide the malicious activity in the background, the program shows a faked PDF file (which must look confusing even to accounting professionals) with accounting data.

This time the user gets opened a PDF file with a list of transactions.

Trend Micro will soon detect the file as TROJ_YABE.AY. We will continuously update our Virus Encyclopaedia whenever we find new details.

Update (Jessie Paz, Tue, 30 Jan 2007 01:51:21 AM)

Updates courtesy of Alice.

After deeper analysis, TrendLabs decided to change the malware name to TROJ_YABE.BB. The detection is included in CPR (controlled pattern release) 4.224.03 and above.

NOTE: Today, the 29th, we faced with four waves of TROJ_YABE. The attached files and their detections are:

• TROJ_YABE.BB in file “E260883905016-Rechnung.pdf.exe”
  
• TROJ_YABE.BA in file “rechnung.exe”
  
• TROJ_YABE.AX in file “RG_129427621.pdf.exe”
  
• TROJ_YABE.BF in file “rechnung.exe”

There has been a lot of WORM_NUWAR movement this week. The controversial “storm malware”, TROJ_SMALL.EDW of P2P botnet fame was found to be an accomplice of the NUWAR network; dropped as it is by a variant detected by Trend Micro as WORM_NUWAR.CQ.

The weekend is upon us and yet another NUWAR makes it to the Trend Micro noteworthy list. Detected as WORM_NUWAR.EE, its spammed email carries belated New Year cheer and the usual Trojan hitchhiker (TROJ_TIBS.PE). Like the earlier variant, WORM_NUWAR.EE also uses the file name POSTCARD.EXEfor its attachment. What is surprising for this new variant is its total lack of originality. WORM_NUWAR’s spammed messages have always used convincing social engineering tactics like the CNN ploy and, of course, the recent Storm email. WORM_NUWAR.EE, however, is just rehashing the “New Year” subject line and an old attachment file name. Based on this, it can be surmised that NUWAR’s code may have been made publicly available and somebody is trying it on for size.

As always, users are highly advised not to open attachments from suspicious email messages. The best protection is still caution and vigilance.

Lineage II, the immensely popular Massively Multiplayer Online Role-Playing Game (MMORPG), is expected to release its sixth chronicle update entitled
Interlude: The Chaotic Thronebetween late March and early May this year.

As gamers worldwide anticipate this release, authors of the highly-successful spyware family TSPY_LINEAGE and illegal private servers are also probably gearing up. These crooks better watch their backs though because NCSoft, Lineage’s developers, is already taking steps to track them down. As of this writing, the company is working with the FBI on a crackdown of illegal Lineage private servers. It is also coordinating with the South Korean government in the country’s bid to prevent the massive Lineage-related ID theft controversy of late last year from happening again.

To read an in-depth article about TSPY_LINEAGE’s routines and payloads, click here:

• TSPY_LINEAGE Levels Up

In biology, antigen is a foreign substance in the body that stimulates the production of an antibody, which in turn fights diseases. It is supposed to be good for you. Getting a particular antigen spam email, though, is probably just going to ruin your day.

Antigenis also the name of an antivirus software for Lotus Domino and Microsoft Exchange. As such, it scans email messages and attachments for possible malicious activities.
TROJ_DLOADER.EXI‘s author then is probably being ironic or funny because this malware arrives as an attachment to a spammed email that purports to be an automated message from the
“Antigen Quarantine area”about a scanned image file. See a sample below:

This Trojan downloads a spyware detected by Trend Micro as TSPY_BZUB.EQ from the Web page
http://www.{BLOCKED}den21.net.

Microsoft re-released MS07-002 for Excel 2000. According to Christopher Budd of
Microsoft Security Response Blog…

[snip]

The original version released on January 9, 2007 did fully protect against the security issues discussed in the bulletin. However, after release we discovered that the security update did not correctly process the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode.

[snip]

To get the patch check here.