Unable to process your most recent Bill Payment - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Bank of America or HSBC email claims you have a new e-Message and that they were unable to process your most recent payment of bill.

Attached zip file has an EXE virus.

Spoofs notifications @fiserv.com, bill.payment @bankofamerica.com, and payment.advice @hsbc.co.uk

Other emails in the spoofed fiserv.com series:


Subject: Unable to process your most recent Bill Payment

Bank of America Logo

You have a new e-Message from Bank of America

This e-mail has been sent to you to inform you that we
were unable to process your most recent payment of bill.

Please check attached file for more detailed information on this transaction.

Pay To Account Number: **********9567
Due Date: 05/01/2013
Amount Due: $ 767.83
Statement Balance: $ 2,729.47

IMPORTANT: The actual delivery date may vary from the Delivery
By date estimate. Please make sure that there are sufficient
available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep
such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly
completed instructions, we will reimburse you any late-payment-related fees.

We apologize for any inconvenience this may cause. .
Please do not reply to this message. If you have any questions
about the information in this e-Bill , please contact your Bill Pay
customer support . For all other questions, call us at 800-887-5749.


Bank of America, N.A. Member FDIC. Equal Housing Lender
�2013 Bank of America Corporation. All rights reserved.
========================================
Please do not delete this section.
Email_ID:#664118309448584618309_
========================================
04092013.zip (134)

Picture:

Picture of fake Bank of America email with virus.

Headers samples:

Received: from fiserv.com ([197.7.60.118] (Tunisia)
   X-Envelope-From: service @fiserv.com
   From:"Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Payment

Received: from cust33-246-249-197.netcabo.co.mz [197.249.246.33] (Mozambique) X-Barracuda-Envelope-From: notification @fiserv.com From: "Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Payment

Received: from fiserv.com ([69.199.154.49] (Atlanta, GA) X-Barracuda-Envelope-From: service @fiserv.com From: "Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Bill Payment

Received: from cust33-246-249-197.netcabo.co.mz [197.249.246.33] (Mozambique) X-Barracuda-Envelope-From: notification @fiserv.com From: "Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Payment

Received: from c-69-248-207-0.hsd1.nj.comcast.net [69.248.207.0] X-Barracuda-Envelope-From: auto-notification @fiserv.com From:"Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Bill Payment

Received: from se0-3-0.gw1.t-gang.druknet.bt [119.2.96.178] (Bhutan) X-Barracuda-Envelope-From: auto-notification @fiserv.com From: "Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Bill Payment

Received: from hsbc.co.uk ([190.123.114.201] (Argengtina) X-Barracuda-Envelope-From: payment.advice @hsbc.co.uk From: "Bank of America" <bill.payment @bankofamerica.com>
Subject: Unable to process your most recent Bill Payment

Received: from h69-129-49-170.wyngmi.dedicated.static.tds.net [69.129.49.170] X-Barracuda-Envelope-From: payment.advice @hsbc.co.uk From: "Bank of America" <bill.payment @bankofamerica.com>

Attachment example:

04092013.zip containing BILL_04092013_Fail.exe

VirusTotal report: here

Fortinet                                   W32/Kryptik.X!tr
Malwarebytes Malware.Packer.EGX1
ESET-NOD32 a variant of Win32/Kryptik.AYJD
F-Prot W32/Trojan3.CBW
McAfee Ransom-FJX!3CB04DA27477
Sophos Mal/FakeAV-OY 
 ... and much much more.

HSBC Variation: Subject: Unable to process your most recent Payment

[HSBC Logo][The world's local bank]

You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were
unable to process your most recent payment.

Please check attached file for more detailed information
on this transaction.

Pay To Account Number: **********90
Due Date: 15/05/2013
Amount Due: $ 155.74

IMPORTANT: The actual delivery date may vary from the Delivery by
date estimate. Please make sure that there are sufficient available
funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such
funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly
completed instructions, we will reimburse you any late-payment-related fees.

Copyright HSBC 2013. All rights reserved. No endorsement or approval
of any third parties or their advice, opinions, information, products
or services is expressed or implied by any information on this Site
or by any hyperlinks to or from any third party websites or pages.
Your use of this website is subject to the terms and conditions
governing it. Please read these terms and conditions before using the website..

HSBC_Payment_2839181.zip (140)

Headers for HSBC version:

Received: from m212-96-64-156.cust.tele2.kz [212.96.64.156]
   X-Envelope-From: service @hsbc.co.uk
   From:"HSBC.co.uk" <service @hsbc.co.uk>
Subject: Unable to process your most recent Payment

Received: from hsbc.co.uk ([125.60.156.172] X-Envelope-From: service @hsbc.co.uk From: "HSBC.co.uk" <service @hsbc.co.uk>
Subject: Unable to process your most recent Payment

Received: from 226.subnet118-97-45.astinet.telkom.net.id [118.97.45.226] X-Envelope-From: service @hsbc.co.uk From: "HSBC.co.uk" <service @hsbc.co.uk>
Subject: Unable to process your most recent Payment

Attachment example for HSBC verions:

HSBC_Payment_2839181.zip containing HSBC_Payment_2839181.exe

VirusTotal report: here

ESET-NOD32                                   a variant of Win32/Kryptik.BATA
AntiVir TR/Crypt.XPACK.Gen5
Fortinet W32/Kryptik.AGAJ!tr

6 November 2013 version: HSBC_Payment_06112013.zip containing Payment_06112013.exe

VirusTotal report: here

ESET-NOD32 		Win32/TrojanDownloader.Small.AAB 
Kaspersky UDS:DangerousObject.Multi.Generic
Malwarebytes Trojan.Email.FA
TrendMicro TROJ_GEN.F0D1H00K613
Norman Small.LT
AVG Generic_r.DDF
McAfee Artemis!DCA1C11AA0C5

Malwr.com report: here

Starts servers listening on 0.0.0.0:0, 0.0.0.0:8289, 0.0.0.0:9240
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via tcp:
bethexfactor2010.com 184.154.15.188

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity