Follow up post about UPS_Invoice trojan
July 15, 2008 14 Comments
I’ve now had a chance to take a slightly closer look at the four copies of this Trojan Agent HFU that I received in the last 24 hours, as discussed in my previous post here. I’ve posted some details of file names and sizes along with MD5 hashes for people to be able to compare their versions against.
The first one which had the half German subject line was a file called UPS_Invoice_317.zip which was 5,420 bytes in size. This one expanded into two levels of folder as UPS_Invoice_317\Ups_invoice\UPS_INVOICE.exe (this was the only one to use lower case in its folder names). The executable was exactly 8,192 bytes (almost certainly padded) and had an MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was.
My next one was called UPS_INOICE_107.zip (note the mis-spelling) and extracted as UPS_INOICE_107\UPS_INVOICE_107.exe – only one level of folders this time, and the executable inherited the numeric part in its name. The mis-spelling almost certainly came from a mis-spelled folder used to compress it in the first place, as most zip programs default to using the folder name for the zip file as well. This file was only 6,656 bytes long and had MD5 checksum of 0C0F2CB1DEB11EC0AA68DEE0933FAACF. Since this is smaller than all the others I am certain it is a significantly different variant, or perhaps is simply broken. Hopefully I can test this later to see what (if anything) it does.
My third and fourth received emails were both called UPS_INVOICE_107.zip and extracted to UPS_INVOICE_107\UPS_INVOICE_107.exe, both 8,192 bytes long and with the same MD5 digest of 58AC24B1F802990387870D3A5CC2312B. The two zip files however were different sizes (4,117 and 4,178 bytes), so they were not direct copies of one another.
All the files made reference to a Russian domain which was registered on the 11th June. I have obscured the domain name and parts of the IP address in the screenshot below, taken from DNSstuff.com
There seems to be an SMTP server running on the same IP as the name servers, presumably to enable the malware to forward copies of itself, or perhaps to send messages home, since it does not seem to be set up to permit relaying.
Anyone have any further information about what this does yet? I’m just setting up a sandbox machine to try and track its infection in a safe environment.
Also, if you have any MD hashes which are different it might be interesting to post them as comments so we see how many flavours of this are out there.