Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: DHL tracking number emails contain malware (Troj/Bckdr-QSL)


24 Mar 2009   #1
johngalt

 
DHL tracking number emails contain malware (Troj/Bckdr-QSL)

Quote   Quote: Originally Posted by http://www.sophos.com/blogs/gc/g/2009/03/23/dhl/
Once again the bad guys are hard at work, spamming out dangerous emails. This morning it's emails which claim to come from DHL, saying they were not able to deliver a postal package you sent on 14th of March because the recipient's address was incorrect.

DHL delivery malicious email

Of course, the emails are not really from DHL.

If you open the file inside the attachment (called DHL_DOC.zip) you will be infected by the Troj/Bckdr-QSL backdoor Trojan horse, which will attempt to take control of your PC.
DHL tracking number emails contain malware | Graham Cluley's blog

My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.

The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.

Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.

Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....

EDIT: Added the following:

Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.

Then, MBAM comes back and finds *all* of these:

Code:
Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/24/2009 3:53:10 AM
mbam-log-2009-03-24 (03-53-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207109
Time elapsed: 49 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.



My System SpecsSystem Spec
24 Mar 2009   #2
LapTopDog

Win7, Ubuntu 8.04, Mandriva Powerpack 09
 
 

Thanks johngalt.

My g/friend manages at DHL (Heathrow) and she sent your post to their IT security in Praque.

But I expect they know by now ...
My System SpecsSystem Spec
24 Mar 2009   #3
johngalt

 

I wold hope so - Sophos found that thing *fast*.

Good news for users of MBAM - the newest definitions in MBAM now detect this little puppy thanks to my submission early this morning.
My System SpecsSystem Spec
24 Mar 2009   #4
Romulinx2

Win7 Ultimate x64 on Desktop / Win7 Ultimate x86 on laptop / Win7 x86 Starter on Netbook
 
 

Thanks for the warning.
My System SpecsSystem Spec
25 Mar 2009   #5
Fielder

xp
 
 
DHL tracking emails - request for update on malware, pls

Would greatly appreciate any tips on how to deal with possible infection Which vendors have released solutions, removal programs? Many thanks in advance
My System SpecsSystem Spec
27 Mar 2009   #6
johngalt

 

MalwareBytes Anti-Malware as I noted above, and Sophos, as I also noted above.
My System SpecsSystem Spec
Reply

 DHL tracking number emails contain malware (Troj/Bckdr-QSL)




Thread Tools



Similar help and support threads for2: DHL tracking number emails contain malware (Troj/Bckdr-QSL)
Thread Forum
Beware of Fake iPhone 5 Emails Containing Malware Security News
Fake Hallmark Christmas Card Emails Carry Malware Security News
Malware Watch: Malicious Amazon themed emails in the wild System Security
Troj/JSRedir-AK: 40% of a month’s malware. Security News
GNU GPL malware?: Troj/JSRedir-AK. Security News
Troj/Bckdr-QSL System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:01 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App