German users received today a new sample of the YABE threat. The spammed email is sent in the name of Cleverbridge as a confirmation order of “Avira AntiVir PersonalEdition Premium”.

This new threat takes advantage of some legitimate entities to leverage its propagation. Avira is a local antivirus vendor (former HB-EDV). Cleverbridge is the e-commerce provider for Aviras AntiVir software.The new threat arrives as a zip (archive 595169.zip) Contained within the zip archive is the file HBEDV.Key.exe (size 2560 bytes), which is supposed to contain the â??license keyâ?? for the product but is actually the malware file itself.

On execution the file HBEDV.Key.exe connects to the site souljah.com and downloads another Trojan. The downloaded trojan has a 10 digit file name (117.976 bytes) and is placed in root folder. This Trojan drops the file ipv6monl.dll into the %system32% directory. This file is the spyware component of this threat. Trend Micro products already detect this component as TSPY_BZUB.IH. Furthermore, other files that are also related to the threat have been sent to the proper channels so that an appropriate solution can be deployed.