NEWS FROM THE LAB - Tuesday, August 26, 2008

Somebody Doesn't Like Us in Denmark Posted by Mikko @ 09:44 GMT

This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses.

The e-mail claims to be from us. It's not.

Here's what the e-mail looks like:

   From: supportupdate@f-secure.com
   Date: 26. August 2008 08:31
   Subject: Data er tillagt og sendt med denne meddelelse.
   K�re kunder!
   Data er tillagt og sendt med denne meddelelse.
   Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
   Antispam er helt gratis for private brugere.
   Attachment: f-secure.rar


The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker related trojan) that connects to a server in Ukraine.

We detect this trojan as Trojan:W32/Agent.FVO. More information in the virus description.

The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate@f-secure.com from non-existent e-mail addresses alone.

Watch out and pass the word.

Update: Agent.FVO is a downloader.

Yesterday, its C&C server was quiet so there were no additional components for download. Today, the C&C server is pushing out a BZub variant which has been detected as Trojan-Spy.Win32.Bzub.fbm since our 2008-08-25_07 database update.

BZub is a trojan-spy interested in banking details.