New trojan variant in mails with "Look my CV. Thank you!"

[Devidnet]

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called  W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Creat files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following hosts:

·         *Blocked Russian URL*/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

·         *Blocked Russian URL*/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

·         hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware  which called W32/Hiloti.I.gen!Eldorado (F-Prot),  Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

Load the following modules into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

We have added some new policies of Ax3soft Sax2 http://www.ids-sax2.com/SaxIDS.htmto detect the Trojan, please update the policy basic knowledge of Sax2  in time.