International Wire Transfer File Not Processed - virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Another fake Wells Fargo wire transfer notification email claims we are unable to process your international wire transfer request, has virus in zip.

Spoofing ofsrep.ceoemigw @wellsfargo.com , payment.advice @hsbc.co.uk , and service @fiserv.com


Subject: International Wire Transfer File Not Processed

We are unable to process your International Wire Transfer 
request due to insufficient funds in the identified account.

Review the information below and contact your Relationship
Manager if you have questions, or make immediate arrangements
to fund the account. If funds are not received by 04/12/2013
03:00 pm PT, the file may not be processed.

Please view the attached file for more details on this transaction.

Any email address changes specific to the Wire Transfer Service
should be directed to Treasury Management Client Services at
1-800-AT-WELLS (1-800-289-3557).

Event Message ID: S844-6756092

Date/Time Stamp: Fri, 12 Apr 2013 18:46:54 +0330

--------------------------------------------------------
Please do not reply to this email; this mailbox is only for delivery of
Event Messaging notices. To ensure you receive these notices, add
ofsrep.ceoemigw @wellsfargo.com to your address book.

For issues related to the receipt of this message,
call toll free 1-800-AT-WELLS (1-800-289-3557) Monday through
Friday between 4:00 am and 7:00 pm and Saturday between
6:00 am and 4:00 pm Pacific Time.

Customers outside the U.S. and Canada may contact their
local representative's office, or place a collect call
to Treasury Management Client Services at 1-704-547-0145.

Please have the Event Message ID available when you call.


Headers sample:

Spoofs wellsfargo.com in From headers. Many others in Envelope and Helo, like hsbc.co.uk, aexp.com, and fiserv.com.


Received: from hsbc.co.uk [194.33.124.204]
X-Envelope-From: payment.advice @hsbc.co.uk
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from fiserv.com [68.71.106.190]
X-Envelope-From: service @fiserv.com
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from net-207-58-231-202.arpa.fidelityaccess.net [207.58.231.202]
X-Envelope-From: service @fiserv.com
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from c-69-142-228-175.hsd1.pa.comcast.net [69.142.228.175]
X-Envelope-From: payment.advice @hsbc.co.uk
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from LCaen-156-54-45-29.w80-11.abo.wanadoo.fr [80.11.184.29] X-Envelope-From: fraud @aexp.com From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com> Subject: International Wire Transfer File Not Processed

Received: from rrcs-173-196-166-158.west.biz.rr.com [173.196.166.158]
X-Envelope-From: service @fiserv.com
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from static-173-70-114-236.nwrknj.fios.verizon.net[173.70.114.236]
X-Envelope-From: service @fiserv.com
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Received: from mail.sodus.com[24.97.97.106]
X-Envelope-From: payment.advice @hsbc.co.uk
From: "Wells Fargo Event Messaging Admin" <ofsrep.ceoemigw @wellsfargo.com>
Subject: International Wire Transfer File Not Processed

Attachment example:

April 2013

Report_04122013.zip containing Report_04122013.exe

VirusTotal report: here

McAfee              Ransom-FBMX!8E2713C692CB
Malwarebytes Malware.Packer.EGX1
Sophos Mal/FakeAV-OY
ESET-NOD32 a variant of Win32/Kryptik.AYQJ

 12 November 2013

WireTransferError.zip containing WireTransferError.exe

VirusTotal report : here

Fortinet 		W32/Small.BS!tr.dldr 
Kaspersky UDS:DangerousObject.Multi.Generic
AhnLab-V3 Trojan/Win32.Zbot
Malwarebytes Trojan.Dropper
Sophos Mal/EncPk-ZC
McAfee-GW Heuristic.LooksLike.Win32.Suspicious.J!81
ESET-NOD32 a variant of Win32/Kryptik.BORN

Malwr.com report : here

Starts servers listening on 0.0.0.0:0, 0.0.0.0:6774, 0.0.0.0:1256
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via tcp:
ax100.net 216.157.85.11

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
108.65.194.40 UNITED STATES
108.74.123.50 UNITED STATES
176.73.115.44 GEORGIA
212.251.104.12 GREECE
217.220.223.102 ITALY
61.250.167.140 KOREA, REPUBLIC OF
66.248.187.32 VIRGIN ISLANDS, U.S.
67.230.94.4 UNITED STATES
68.162.220.34 UNITED STATES
70.169.168.37 UNITED STATES
70.30.53.56 CANADA
71.52.51.131 UNITED STATES
86.159.85.210 UNITED KINGDOM
94.247.29.186 FRANCE
98.164.247.13 UNITED STATES
99.48.126.246 UNITED STATES

These addresses were sent udp but never answered back
186.94.133.250 VENEZUELA, BOLIVARIAN REPUBLIC OF
190.6.20.210 VENEZUELA, BOLIVARIAN REPUBLIC OF
2.30.207.200 UNITED KINGDOM
41.132.189.134 SOUTH AFRICA
76.177.238.129 UNITED STATES
79.189.188.250 POLAND
85.72.56.201 GREECE
86.98.93.30 UNITED ARAB EMIRATES

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity