DHL tracking number emails contain malware (Troj/Bckdr-QSL)

http://www.sophos.com/blogs/gc/g/2009/03/23/dhl/ said:

Once again the bad guys are hard at work, spamming out dangerous emails. This morning it's emails which claim to come from DHL, saying they were not able to deliver a postal package you sent on 14th of March because the recipient's address was incorrect.

DHL delivery malicious email

Of course, the emails are not really from DHL.

If you open the file inside the attachment (called DHL_DOC.zip) you will be infected by the Troj/Bckdr-QSL backdoor Trojan horse, which will attempt to take control of your PC.

DHL tracking number emails contain malware | Graham Cluley's blog

My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.

The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.

Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.

Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....

EDIT: Added the following:

Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.

Then, MBAM comes back and finds *all* of these:

Code:

Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/24/2009 3:53:10 AM
mbam-log-2009-03-24 (03-53-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207109
Time elapsed: 49 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

I wold hope so - Sophos found that thing *fast*.

Good news for users of MBAM - the newest definitions in MBAM now detect this little puppy thanks to my submission early this morning.

Thanks for the warning. :)

MalwareBytes Anti-Malware as I noted above, and Sophos, as I also noted above.