In the last weeks German email receivers were forced to train anti social engineering skills.

In the first days of 2007 the German speaking area was flooded with emails that aim to be bills from 1&1 provider. Later on the requests for payment were sent in connection with social engineering related to other typical German payments like GEZ (government TV tax) or simply online orders.

Anybody that cares about email security may think that the receivers are slowly getting used to such emails (payment request with the invoice attached as Rechnung.pdf.exe or simply Rechnung.exe). But it seems that the Trojan spammers are still persevering and exercising their social engineering to trick the users to run a program with spying capabilities and therefore reveal sensitive information like their bank account data to criminals. The first step into the systems is realised using social engineering techniques.

German Ebay marketplace customers may be slightly confused today (Monday 29th). This new email is not related to the payment request. It says that the direct debit couldnt be done. The main message is that the usual balance failed and it asks the user to double check the account data. The information how to do this is correct and relates to real Ebay web site.

The email body is not dangerous at all. It includes some valid Ebay URLs and hints to the attached list of the transactions for those the user have to pay an amount of 426.96 Euro, which in fact is the malicious code.

The second new part of this email is the behaviour of the attached file (E260883905016 Rechnung.pdf.exe), when it shows a real document.

On execution the file drops another executable file in %UserTemp%. This file attempts to connect to the Internet and downloads other components. It’s not new that files are dropped and run in the background and therefore the user doesn’t notice the dropped files (vapo3.exe, win.exe, ipv6monl.dll and others).

To hide the malicious activity in the background, the program shows a faked PDF file (which must look confusing even to accounting professionals) with accounting data.

This time the user gets opened a PDF file with a list of transactions.

Trend Micro will soon detect the file as TROJ_YABE.AY. We will continuously update our Virus Encyclopaedia whenever we find new details.

Update (Jessie Paz, Tue, 30 Jan 2007 01:51:21 AM)

Updates courtesy of Alice.

After deeper analysis, TrendLabs decided to change the malware name to TROJ_YABE.BB. The detection is included in CPR (controlled pattern release) 4.224.03 and above.

NOTE: Today, the 29th, we faced with four waves of TROJ_YABE. The attached files and their detections are:

• TROJ_YABE.BB in file “E260883905016-Rechnung.pdf.exe”
  
• TROJ_YABE.BA in file “rechnung.exe”
  
• TROJ_YABE.AX in file “RG_129427621.pdf.exe”
  
• TROJ_YABE.BF in file “rechnung.exe”