NEWS FROM THE LAB - Friday, March 23, 2007

Nurech on the Run Again. Posted by Jusu @ 11:54 GMT

We last posted about a Nurech run on February 19th using Ikea Deutchland as their supposed front. This time the Nurech gang is riding on 1&1, an Internet hosting provider. We have received reports of a large amount of e-mails in Germany.

It seems that the gang is monitoring the success of their trojan. As soon as the antivirus industry caught up with the first downloaded malware (Trojan-Spy.Win32.BZub.IJ), they changed it to another one. We detect the current downloaded file as Trojan-Spy:W32/BZub.IK.

The downloader itself (Trojan-Downloader:W32/Small.EJK) has been detected since morning with update 2007-03-23_02, detection of all known files thus far in 2007-03-23_03.

Here's an example of the spammed message:


Updated to add:
Here's another example of text used in the spam with a translation provided by a German partner of ours.

Aktueller Sicherheitshinweis:
Unbekannte haben Millionen von E-Mails versendet,
die sich als Rechnungen der 1&1 Internet AG tarnen.
Diese E-Mails versuchen den Rechner des Empf�ngers mit einem Virus zu infizieren.
Ausschlie�lich solchen E-mails wie dieser k�nnen Sie vertrauen.
�ffnen Sie keinesfalls in gef�lschten E-Mails angeh�ngten Dateien!

Sie erkennen die Echtheit Ihrer 1&1 E-Mail-Rechnung an folgenden Merkmalen:
- Sie erhalten echte Rechnungen immer als ZIP Dateien
- Sie finden immer diesen Sicherheitshinweis darin

Security Advice!!
Unknown persons have send millions of e-mails, that stealth as invoices from 1&1 Internet AG.
These e-mails try to infect the recipients computer with a virus.
Only trust e-mails like this one! Never open an attachment in a faked e-mail!

Original e-mails from 1&1 can be identified by
- Real invoices are always sent in a ZIP
- You will always find this security advice.

Trust No One. Except us…