Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Threat Outbreak Alert: False Online Purchase Delivery E-mail Messages on October 15, 2009
 
Threat Outbreak AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:19057
Version:8
First Published:September 15, 2009 09:43 AM EDT
Last Published:October 15, 2009 09:50 AM EDT
Port: Not Available
 
Urgency: Possible Use
Credibility: Confirmed
Severity: Harrassment
 
Version Summary:

Cisco Security Intelligence Operations has detected significant activity on October 15, 2009.

Description

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain information about the delivery of a product purchased online.  The text in the e-mail message instructs the recipient to print the document attached to the e-mail message.  However, the .zip attachment of the e-mail message contains a malicious .exe file that, when executed, attempts to infect the targeted system with malicious code.

E-mail messages that are related to this threat (RuleID2475, RuleID2479, RuleID2480, RuleID2482, RuleID2487, RuleID2487KVR, and RuleID2482KVR) may be associated with the following files:

1252915553.zip
1252915553.exe
nz.zip
nz.exe
4976372.zip
4976372.exe
install.zip
install.exe
open.exe

The 1252915553.exe file (RuleID2475) has a file size of 93,184 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x8A991D621BE5C7E1913BE65AA2A34580

The nz.exe file (RuleID2480) has a file size of 14,336 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xB9D3BE5F4772F09286E82CEE43EFA291

The 4976372.exe file (RuleID2479) has a file size of 52,224 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xD77FD0898AB455AAAE8B6B70D7F01BF1

The install.exe file (RuleID2482) has a file size of 52,272 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xA41CDBC38A03C6BED9E8815D2BC3FFA6

The open.exe file (RuleID2487KVR) has a file size of 96,256 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x8A87F4130700B49B72515900CBF8E9D7

An additional variant of the open.exe file (RuleID2487) has a file size of 13,824 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x19DAF4EF68DD4D830D4159E3D0DC7EB0

An additional variant of the install.exe file (RuleID2482KVR) has a file size of 13,312 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x595DC19DAB1FA441304D77971C507D65

A third variant of install.exe (RuleID2482KVR) has a file size of 15,872 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x3BE4E2FDB71ED1A6A0A02D78112ECD4B

A fourth variant of install.exe (RuleID2482KVR) has a file size of 28,672 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x48F1919D467973964222C85DC8101E1F

The following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: Thank you for setting the order No. 475456

Message Body:

Dear Customer,

Thank you for ordering at our online store.
Your order: Sony VAIO A 1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

The malicious software that is associated with this threat outbreak is related to Adware.Agent.ZO.  The trojan may download RogueAntiSpyware without the user's permission or make further modifications to the system registry and filesystem.   Additionally, it may open a back door to grant access to the infected system to a remote attacker.  The trojan may create the following files on infected systems:

braviax.exe
beep.sys
figaro.sys

Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide.  This data helps provide a range of information about and analysis of global e-mail security threats and trends.  Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers.  This report will be updated if there are significant changes or if the risk to end users increases.

Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures.  E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks.  Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
 
Alert History
 

Version 7, October 6, 2009, 8:39 AM: Cisco Security Intelligence Operations has detected significant activity on October 5, 2009.

Version 6, October 2, 2009, 12:08 PM: Cisco Security Intelligence Operations has detected significant activity on October 2, 2009.

Version 5, October 1, 2009, 10:25 AM: Cisco Security Intelligence Operations has detected significant activity on October 1, 2009.

Version 4, September 28, 2009, 12:39 PM: Cisco Security Intelligence Operations has detected significant activity on September 28, 2009.

Version 3, September 21, 2009, 11:08 AM:  Cisco Security Intelligence Operations has detected significant activity on September 18, 2009.

Version 2, September 17, 2009, 2:11 PM: Cisco Security Intelligence Operations has detected significant activity on September 17, 2009.

Version 1, September 15, 2009, 9:43 AM: Cisco Security Intelligence Operations has detected significant activity on September 14, 2009.

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak AlertOriginal Release Base

Associated Products:
N/A



Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service. To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?