DHL tracking number emails contain malware (Troj/Bckdr-QSL)

johngalt

Antidisestablishmenta
Guru
Gold Member
SF Team
Local time
9:51 AM
Messages
4,364
Location
Somewhere on the 3rd rock from the sun.
http://www.sophos.com/blogs/gc/g/2009/03/23/dhl/ said:
Once again the bad guys are hard at work, spamming out dangerous emails. This morning it's emails which claim to come from DHL, saying they were not able to deliver a postal package you sent on 14th of March because the recipient's address was incorrect.

DHL delivery malicious email

Of course, the emails are not really from DHL.

If you open the file inside the attachment (called DHL_DOC.zip) you will be infected by the Troj/Bckdr-QSL backdoor Trojan horse, which will attempt to take control of your PC.

DHL tracking number emails contain malware | Graham Cluley's blog

My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.

The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.

Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.

Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....

EDIT: Added the following:

Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.

Then, MBAM comes back and finds *all* of these:

Code:
Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/24/2009 3:53:10 AM
mbam-log-2009-03-24 (03-53-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207109
Time elapsed: 49 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
 

My Computers My Computers

  • At a glance

    Windows 11 21H2 Current buildAMD Ryzen 9 3950X4 * 32 GB - Corsair Vengeance 3600 MHzEVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12...
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    The Beast Model A (homebrew)
    OS
    Windows 11 21H2 Current build
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spec
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Plat
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    SteelSeries Apex Pro Wired Gaming Keyboard
    Keyboard
    SteelSeries Apex Pro
    Mouse
    Logitech MX Master 3S | MX Master 3 for business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Antivirus
    Windows Defender + MB 3
    Browser
    Nightly (default) + Firefox (stable),Chrome, Edge
  • At a glance

    ChromeOS Flex Dev Channel (current)Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 250...16 GBIntel(R) HD Graphics 520
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Dell Latitude E5470
    OS
    ChromeOS Flex Dev Channel (current)
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics Card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Keyboard
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
Thanks johngalt.

My g/friend manages at DHL (Heathrow) and she sent your post to their IT security in Praque.

But I expect they know by now ...
 

My Computer My Computer

At a glance

Win7, Ubuntu 8.04, Mandriva Powerpack 09
OS
Win7, Ubuntu 8.04, Mandriva Powerpack 09
I wold hope so - Sophos found that thing *fast*.

Good news for users of MBAM - the newest definitions in MBAM now detect this little puppy thanks to my submission early this morning.
 

My Computers My Computers

  • At a glance

    Windows 11 21H2 Current buildAMD Ryzen 9 3950X4 * 32 GB - Corsair Vengeance 3600 MHzEVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12...
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    The Beast Model A (homebrew)
    OS
    Windows 11 21H2 Current build
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spec
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Plat
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    SteelSeries Apex Pro Wired Gaming Keyboard
    Keyboard
    SteelSeries Apex Pro
    Mouse
    Logitech MX Master 3S | MX Master 3 for business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Antivirus
    Windows Defender + MB 3
    Browser
    Nightly (default) + Firefox (stable),Chrome, Edge
  • At a glance

    ChromeOS Flex Dev Channel (current)Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 250...16 GBIntel(R) HD Graphics 520
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Dell Latitude E5470
    OS
    ChromeOS Flex Dev Channel (current)
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics Card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Keyboard
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
Thanks for the warning. :)
 

My Computer My Computer

At a glance

Win7 Ultimate x64 on Desktop / Win7 Ultimate ...AMD Phenom 965 X4 3.4Ghz cpu Black Edition12 Gb DDR3Nvidea Gforce GTX 470
Computer Manufacturer/Model Number
Dilithium Computers/Engineering (Myself) Star date 42.739285.5432.9
OS
Win7 Ultimate x64 on Desktop / Win7 Ultimate x86 on laptop / Win7 x86 Starter on Netbook
CPU
AMD Phenom 965 X4 3.4Ghz cpu Black Edition
Motherboard
Gigabyte 790XT
Memory
12 Gb DDR3
Graphics Card(s)
Nvidea Gforce GTX 470
Sound Card
Onboard Realtek hi-fi
Monitor(s) Displays
Lg 3D led 23"
Screen Resolution
1920x1080
Hard Drives
Loads maxstore sata 1 & 2/ loads of partitions + 1Tb Hitachi sata 2. 256Gb Crucial ssd.
PSU
OCZ 700W GameXstream
Case
Artec 10000
Cooling
On board + many case fans
Keyboard
Logitech wireless K350
Mouse
Inferno gaming mouse
Internet Speed
Talk talk. 10Mb
Other Info
My PC was hand built with matchsticks. xbox 360 controller. Printers,fax.........
DHL tracking emails - request for update on malware, pls

Would greatly appreciate any tips on how to deal with possible infection:confused: Which vendors have released solutions, removal programs? Many thanks in advance
 

My Computer My Computer

At a glance

xp
OS
xp
MalwareBytes Anti-Malware as I noted above, and Sophos, as I also noted above.
 

My Computers My Computers

  • At a glance

    Windows 11 21H2 Current buildAMD Ryzen 9 3950X4 * 32 GB - Corsair Vengeance 3600 MHzEVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12...
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    The Beast Model A (homebrew)
    OS
    Windows 11 21H2 Current build
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * 32 GB - Corsair Vengeance 3600 MHz
    Graphics Card(s)
    EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spec
    Screen Resolution
    3x 3840 x 2160
    Hard Drives
    3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Plat
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
    Cooling
    SteelSeries Apex Pro Wired Gaming Keyboard
    Keyboard
    SteelSeries Apex Pro
    Mouse
    Logitech MX Master 3S | MX Master 3 for business
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
    Antivirus
    Windows Defender + MB 3
    Browser
    Nightly (default) + Firefox (stable),Chrome, Edge
  • At a glance

    ChromeOS Flex Dev Channel (current)Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 250...16 GBIntel(R) HD Graphics 520
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Dell Latitude E5470
    OS
    ChromeOS Flex Dev Channel (current)
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics Card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Keyboard
    Dell
    Mouse
    Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
    Internet Speed
    AT&T LightSpeed Gigabit Duplex Ftth
Back
Top