We have information that executive staff at 3 corporations are still being targeted with emails with mailicious attachments that AV vendors are finding hard to identify. The best and ongoing analysis of this highly successful attack is the BBB Phishing Trojan analysis by Joe Stewart of SecureWorks.
The information tends to show the recent attacks started to be detected by AV vendors on 07/31. One of our reports indicates that after the initial malware detection, new and undetected attachment variants were emailed. Malware samples submitted show coverage for at least one sample is still spotty.
One submission email had the following information;
"This is an automated email that confirms the registration of your complaint case number : CX784486090 filed by your company on 7/29/2007 concerning Online Identity Theft.
While The Better Bussiness Bureau Online does not resolve individual consumer problems, your complaint helps us investigate fraud, and can lead to law enforcement action.
ATTACHED you will find a copy of your complaint .Please print and keep this copy for your personal records.
We use secure socket layer (SSL) encryption to protect the transmission of the information you submit to us when you use our secure online forms.
The information you provided to us is stored securely.
The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer Response Center, and is voluntary. Through this form, consumers may electronically register a complaint with the BBB.Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. That number is 382-898.
Our staff will keep you updated regarding the status of our investigation.
© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved."
One report indicated that downloaded files included winupdate.exe, yhelp.exe
and other temp files McAfee flagged as PWS-FireMing.dll, McAfee's PWS-FireMing.dll write-up has no information.
File names are not reliable in many situations, but Sunbelt had a file named yhelp.dll in a description of recent malware, they listed some downloaded files;
There was no other useful information on their site.
One sample's analysis at Virustotal;
File Complaint_158684523.doc received on 08.02.2007 18:22:54 (CET)
Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.02 -
AntiVir 126.96.36.199 2007.08.02 TR/Dldr.Agent.caa.2 Authentium 4.93.8
2007.08.02 W32/Dropper.GGD Avast 4.7.1029.0 2007.08.02 - AVG 188.8.131.526
2007.08.02 - BitDefender 7.2 2007.08.02
CAT-QuickHeal 9.00 2007.08.01 -
ClamAV 0.91 2007.08.02 -
DrWeb 4.33 2007.08.02 -
eSafe 184.108.40.206 2007.07.31 -
eTrust-Vet 31.1.5026 2007.08.02 -
Ewido 4.0 2007.08.02 -
FileAdvisor 1 2007.08.02 -
Fortinet 220.127.116.11 2007.08.02 -
F-Prot 18.104.22.168 2007.08.02 W32/SecRisk-ProcessPatcher-Sml-based!Maximus
F-Secure 6.70.13030.0 2007.08.02 Trojan-Downloader.Win32.Agent.caa
Ikarus T22.214.171.124 2007.08.02 Trojan-Downloader.Win32.Agent.caa Kaspersky
126.96.36.199 2007.08.02 Trojan-Downloader.Win32.Agent.caa McAfee 5088
2007.08.01 - Microsoft 1.2704 2007.08.02 -
NOD32v2 2433 2007.08.02 -
Norman 5.80.02 2007.08.02 -
Panda 188.8.131.52 2007.08.02 Suspicious file
Prevx1 V2 2007.08.02 -
Rising 19.34.32.00 2007.08.02 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.02 -
Symantec 10 2007.08.02 Trojan.Dropper
TheHacker 184.108.40.206 2007.08.01 -
VBA32 220.127.116.11 2007.08.01 -
VirusBuster 4.3.26:9 2007.08.02 -
Webwasher-Gateway 6.0.1 2007.08.02 Trojan.Dldr.Agent.caa.2 Additional
information File size: 34863 bytes