Embed Size (px)
DESCRIPTION
Alex Polischuk from TotalDefense reports a Win32/Fareit Trojan virus in the form of an attachment called payment advice from HSBC email id. Use Totaldefense Antivirus to stay protected against such malicious attacks. Visit http://blogs.totaldefense.com/securityblog.aspxfor cloud-based endpoint security solutions for home and businesses.
Citation preview
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 1
Would you like some payment advice?
Sometimes, our customers (from various geographical areas) are getting fake emails from HSBC banking
with such a subject.
The sender address may vary but this would be definitely spoofed email address.
And the text of the email’s body may vary, then the main purpose is to confuse the recipients.
For example: this is one of various possible ways that this email may look like:
Dear Sir/Madam
Upon your request, attached please find payment e-Advice for your reference.
Yours faithfully
HSBC
***************************************************************************
We maintain strict security standards and procedures to prevent unauthorised access to information
about you. HSBC will never contact you by e-mail or otherwise to ask you to validate personal
information such as your user ID, password, or account numbers. If you receive such a request, please
call our Direct Financial Services hotline.
Please do not reply to this e-mail. Should you wish to contact us, please send your e-mail to
[email protected] and we will respond to you.
Note: it is important that you do not provide your account or credit card numbers, or convey any
confidential information or banking instructions, in your reply mail.
Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005 All rights reserved.
***************************************************************************
The worst part of these emails are their attachments.
Each email contains ZIP archive file “Payment_advice.zip” and this ZIP archive contains
“Payment_advice.exe” executable file.
This file name may contains also randomized numbers, and may be as follows:
Payment Advice [randomized numbers].zip
Payment Advice [randomized number].exe
Payment Advice Ref[randomized numbers].zip
Payment Advice Ref[randomized numbers].exe
Payment receipt [randomized numbers].zip
Payment receipt [randomized numbers].exe
Payment notification id [randomized numbers].zip
Payment notification id [randomized numbers].exe
Obviously this file is malicious program, Trojan.
Total Defense Anti-Virus detects most of these Trojans as “Win32/Fareit Trojan” family.
If this file is executed, it will attempts to steal any valuable information from affected machine by
sending it to remote server.
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 2
The information may be stolen from inputs to browser, specially: passwords and user names.
All browses are in this danger: Opera, Firefox, I Explorer, Chrome etc.
Win32/Fareit is huge family of Trojans that each member attempts to perform various attacks and
various payloads on affected machine.
Most of the samples have backdoor abilities, they attempt to control infected computer remotely.
Most of them attempts to create the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID = [random characters].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "[random
characters].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft PnD = "[random
characters].exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce =
“[random characters].exe“
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrss =
"[random characters].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = [random
characters].exe
HKEY_CURRENT_USER\SOFTWARE\WinRAR = "[random characters]"
The main problem to cure the system after infection is that those Trojans (in most of the cases)
download and execute arbitrary files from various locations - different files with randomized file names
may be downloaded and executed to %TEMP% folder of the Windows.
These executable files may belong to whole other malware families and it is always unclear what they
will do to the system.
Best thing you can do is not to open “Payment advice” emails, but forward them email to us for
investigation.
In any case, if you get suspicious emails or suspicious files, please consider to forward them to
“[email protected]” for Total Defense full analysis of any future threats.
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 3
About TotalDefense:
Total Defense(@Total_Defense) is a global leader in malware detection and anti-crimeware solutions. We offer a broad portfolio of leading security products for the consumer market used by over four million consumers worldwide. Our solutions also include the industry’s first complete cloud security platform, providing fully integrated endpoint, web and email security through a single Web-based management console with a single set of enforceable security policies
Total Defense is a former business of CA Technologies, one of the largest software companies in the world, and has operations in New York, California, Europe, Israel and Asia.
Visit http://www.totaldefense.com/ for web, cloud & mobile security solutions for home users and businesses.
