Hearing of your case in Court NR#... - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Notice to Appear at court claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use.

Attached zip file contains an exe virus or trojan horse.

Spoofs some law firm domain like jonesday.com, lw.com, mwe.com, hoganlovells.com, skadden.com, gibsondunn.com,  cov.com, bakerbotts.com, orrick.com, bryancave.com, perkinscoie.com, alston.com,  dechert.com, sullcrom.com, or seyfarth.com in headers.

This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

Jones Day / Latham & Watkins / Hogan Lovells / McDermott Will & Emery / Skadden, Arps, Slate, Meagher & Flom / Gibson Dunn / Covington & Burling / Baker Botts / and Orrick, Herrington & Sutcliffe / Bryan Cave / Perkins Coie / Alston & Bird / Dechert / Sullivan & Cromwell / Seyfarth Shaw are real law firms, these emails are NOT from them.

On 11 March 2014, there was a series of copy-cat "notice to appear in court" emails that basically copied this series. Different botnet, different malware. And once again, Asprox was doing it before it was cool.


Subject: Hearing of your case in Court NR#3578

Subject: Urgent court notice NR#86455

Subject: Notice to appear in court NR#9530

Subject: Notice of appearance in court NR#1376

Subject: #Notice of appearance in court Order 9236

Subject: #Notice to appear in court Order 6435

Subject: #Urgent court notice Order 91995

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that
will take place in the court of Washington in January 19, 2014 at 10:00 am.

Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Yours truly,
Ruth Mason
Clerk to the Court.

Court_Notice_Jones_Day_Wa#5837.zip (118)

Other clerk names: (These are a LOT like the Beauty Contest Winner CV emails)

Chloe Smith
Ruth Tailor
Ruth Mason Karen Tailor Alena Mason
Emily Mason
Dorothy Smith Evie Tailor Alison Tailor Maria Mason Helen Mason
Bruce Tailor <-- well... except that guy.

Subject: Notice to appear in court No#6938

Hereby you are informed that you are due in the court of New York
on the 12 of January, 2014 at 09:00 am for the hearing of your case.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

Please, download the copy of the court notice attached herewith to read the details.
Note: The case may be heard by the judge in your absence if you do not come.

Yours truly,
Thompson Gonzalez
Clerk to the Court.

Court_Notice_Latham_and_Watkins__NY82569.zip (121)

Subject: Notice of appearance in court CH#6016

Notice to appear,

Hereby you are notified that you are expected
in Chicago Court for the hearing of you case in January 21, 2014.

Enclosed please find the copy of the court notice for the case mentioned above.
Attendance compulsory.

Yours very truly,
BOONE Goff
Clerk of court.

Court_Notice_Chicago_CN03514.zip (122)

Subject: Urgent court notice No67075

Notice to Appear in Court,

This is to advise that you are required to attend
the court of Los Angeles in January 9, 2014 for the hearing of your case.

Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above.
Attendance is compulsory.

The copy of the court notice is attached to this letter, please, download and read it thoroughly.

FISCHER MADDOX
Clerk to the Court.

Court_Notice_Los_Angeles_No7507.zip (145)

Subject: #Notice to appear in court NO1441-111

Notice to appear,

Hereby you are notified that you are expected
in St. Louis Court for the hearing of your case in January 8, 2014.

Enclosed please find the copy of the court notice for the case mentioned above.
Attendance compulsory.

Yours very truly,
FAULKNER HENRY
Clerk of court.

03_12_14_Court_Notice_St._Louis_9649.zip (115)

Subject: #Hearing of your case in Court 60567

Subject: Illegal software use #order #No908

Subject: Judicial summons No6186

Subject: Pretrial notice No3866

Pretrial notice,

Hereby we inform that you are obliged to come as a defendant
to The Court of Louisiana in February 26, 2014 at 09:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.

You are kindly asked to have an identity document with you.
Personal appearance is compulsory.

Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.

Court clerk,
Isabella Mason

Plaint Note_06_01_2014_No8100.zip (113)

 

Notice of appearance,

You are hereby notified that you are required to attend
the court of Chicago in January 11, 2014 as a defendant
for the hearing of a pirated software case.

Compulsory attendance.
You may have the services of a lawyer, if necessary.
Failure to appear may result in the imposition of sanctions.

More detailed information regarding the case can be found attached to this letter.

Court agent,
Susan Mason

10-01-2014_Notice_of_Appearanc_Information_No56686.zip (112)

Subject: Notice of court attendance No7305

Court hearing notice.

As a defendant you have been scheduled
to attend the hearing in the Court of New York.
Hearing date: 28 January 2014
Hearing time: 9:00 a.m.

Hearing subject: illegal use of software.
Prior to the court thoroughly study the plaint note in the attachment to this mail.

Sincerely,
Court agent,
Mary Mason

Plaint_Note_US_Copy_N2275.zip (147)

Header Examples:

Spoofs a specific law firm like jonesday.com, lw.com, hoganlovells.com, mwe.com in From, Envelope, and HELO. These iterate through several domains but be consistent in the email. This is an Asprox email, not sloppy like the Cutwails.

Received: from jonesday.com [134.174.110.13]
X-Envelope-From: support.3 @jonesday.com
From: "Notice to Appear" <support.3 @jonesday.com>
Subject: Hearing of your case in Court NR#3578

Received: from lw.com (107-1-82-218-ip-static.hfc.comcastbusiness.net) [107.1.82.218]
X-Envelope-From: aa.support254 @lw.com
From: "Notice to Appear" <aa.support254 @lw.com>
Subject: Notice to appear in court No#6938

Received: from hoganlovells.com (mail.wwgroup.com) [24.172.186.234]
X-Barracuda-Envelope-From: ticket_864 @hoganlovells.com
From: "Notice to Appear" <ticket_864 @hoganlovells.com>
Subject: Hearing of your case in Court WA#7468

Received: from mwe.com (207-255-147-117-static.bfd.pa.atlanticbb.net) [207.255.147.117]
X-Envelope-From: support918 @mwe.com
From: "Notice to Appear" <support918 @mwe.com>
Subject: Urgent court notice CH#73786

Received: from skadden.com (rrcs-24-103-145-83.nys.biz.rr.com) [24.103.145.83]
X-Envelope-From: aa.support047 @skadden.com
From: "Notice to Appear" <aa.support047 @skadden.com>
Subject: Notice of appearance in court NY7699

Received: from gibsondunn.com (207-192-225-146.npg.sta.suddenlink.net) [207.192.225.146]
X-Envelope-From: no_reply @gibsondunn.com
From: "Notice to Appear" <no_reply @gibsondunn.com>
Subject: Urgent court notice No67075

Received: from cov.com (cpe-75-81-4-22.kc.res.rr.com) [75.81.4.22] X-Envelope-From: support.3 @cov.com From: "Court Notice WA" <support.3 @cov.com> Subject: Hearing of your case in Court ID3903

Received: from bakerbotts.com (kmc_public_1.kmcnetwork.org) [204.110.16.10]
X-Envelope-From: service @bakerbotts.com
From: "Notice to Appear" <service @bakerbotts.com>
Subject: #Notice to appear in court Order 6119

Received: from orrick.com (d72-39-199-65.home1.cgocable.net) [72.39.199.65] X-Envelope-From: notice737 @orrick.com From: "Court Notice Orrick" <notice737 @orrick.com> Subject: Notice of appearance in court N#4250-674

Received: from bryancave.com [70.65.247.180]
X-Envelope-From: support546 @bryancave.com
From: "Court Notice BK" <support546 @bryancave.com>
Subject: #Notice to appear in court NO1441-111

Received: from perkinscoie.com (customer-187-216-125-115.uninet-ide.com.mx) [187.216.125.115] X-Envelope-From: notice512 @perkinscoie.com From: "Court attendance notification" <notice512 @perkinscoie.com> Subject: Illegal software use #order #No908

Received: from alston.com (mail.gothamsales.com) [173.15.171.58] X-Envelope-From: help.support016 @alston.com From: "Pretrial Notice" <help.support016 @alston.com> Subject: Court notification No726

Received: from dechert.com (mail.medvetohio.com) [74.218.67.50] X-Envelope-From: information @dechert.com From: "Illegal software" <information @dechert.com> Subject: Judicial summons ID8906

Received: from sullcrom.com (173-161-7-6-Illinois.hfc.comcastbusiness.net) [173.161.7.6] X-Envelope-From: notice_support.4 @sullcrom.com From: "Pretrial Notice" <notice_support.4 @sullcrom.com> Subject: Illegal software use #number #N#130

Received: from seyfarth.com [69.80.69.226] X-Envelope-From: support.5 @seyfarth.com From: "Notice of Appearance" <support.5 @seyfarth.com> Subject: Judicial summons No3354

An interesting artifact, the NETBIOS name of the infected windows computer is in the Message-ID header:

Message-ID: <002401cefff99e3a2b782000000a @jacques-pc>
Message-ID: <002b01cf000e988a97980201a8c0 @CATHY-DESKTOP>
Message-ID: <000901cefff0a1423b818114a8c0 @SCHEDULING2>
Message-ID: <002601cefff6d33f57cc4db366ae @Owner-PC>
Message-ID: <002801cefff9249b166a0400a8c0 @PickeringComp>
Message-ID: <000e01cf0015b42fb3289101a8c0 @JackBrenner-PC>
Message-ID: <000d01cf000c8b2775bc1200000a @JOHN-PC>
Message-ID: <000b01cf002f$3de2c406$0401a8c0 @JaneikaSweet-PC>
Message-ID: <002501cf002f4cf202eb53e77018 @robertandmel-PC>

Attachment / Link Samples:

Asprox generates a new variant of the same trojan on a time schedule, so chances are the one you get will be new-ish but with the same basic capabilities. The same attachment may be under several different emails, or one email series may have several versions of the attachment. Basically, what I'm saying is that the name of the attachment doesn't really matter at all.

Court_Notice_Jones_Day_Wa#8271.zip containing Court_Notice_Jones_Day_Washington.exe

Court_Notice_Latham_and_Watkins_NY82569.zip containing Court_Notice_Latham_and_Watkins__New_York.exe

Court_Notice_Hogan_Lovells_WA54120.zip containing Court_Notice_Hogan_Lovells_WA_Washington.exe

Court_Notice_Chicago_CN42172.zip containing Court_Notice_Chicago_McDermott_Will_and_Emery.exe

Court_Notice_NY_MF_N3037.zip containing Court_Notice_NY_Meagher_and_Flom.exe  (The Skadden.com version)

Court_Notice_Los_Angeles_No7507.zip containing Court_Notice_Los_Angeles_Gibson_Dunn_and_Crutcher.exe

Document_Court_Notice_ID94184.zip containing Court_Notice_Covington_and_Burling.exe

Court_Notice_Document_ID56000.zip containing Document_Court_Notice_Baker_Botts_www.bakerbotts.com.exe

02_12_2014_Court_Notice_N#1354.zip containing 02_12_2014_Court_Notice_San_Francisco_USA.exe (The Orrick.com version)

03_12_14_Court_Notice_St.Louis_9649.zip containing 03_12_2014_Court_Notice_St._Louis.exe (The BryanCave.com version)

Plaint Note_06_01_2014_No8100.zip containing Plaint Note_06_01_2014_document.exe (The perkinscoie.com version)

Plaint_Note_Document_06_01#9918.zip containing Plaint Note_07_01_2014_Atlanta.exe (The alson.com version)

Plaint_Note_No7929_Georgia_2014.zip containing Plaint_Note_08_01_Georgia_2014.exe (The dechert.com version)

Pretrial-Notice_09-01-2014_N58021.zip containing Pretrial-Notice_US_NY_document_09-01-2014.exe (The sullcrom.com version)

10-01-2014_Notice_of_Appearanc_Information_No56686.zip containing 10-01-2014_Notice_of_Appearanc_Information.exe (The seyfarth.com version)

23 December 2013

VirusTotal report | Malwr.com report 

VirusTotal report | Mawlr.com report | File-Analyzer.net report

24 December 2013

VirusTotal report | Malwr.com report | File-Analyzer.net report

30 December 2013

VirusTotal report | Malwr.com report | File-Analyzer.net report 

3 January 2014

VirusTotal report

AhnLab-V3 	Trojan/Win32.Zbot 
Commtouch W32/Trojan.XVJP-5951
F-Prot W32/Trojan3.GZX
Fortinet W32/Zbot.FG!tr
Kaspersky Trojan-Downloader.Win32.Dofoil.rti
McAfee Artemis!8D8B643753FE
Rising PE:Malware.FakeDOC@CV!1.9C3C
Symantec Trojan.Fakeavlock

Malwr report

Checks for the presence of known windows from debuggers and forensic tools

File-Analyzer.net report

Networking: Contains functionality to download additional files from the internet
Remote Access Functionality: functionality to open a port and listen for incoming connection (backdoor)
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\gxgvabpe.exe
Data Obfuscation: packed or encrypted data
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard page
VM Detection: Binary/memory string: VBoxTray.exe, HARDWARE\ACPI\DSDT\VBOX__, VMwareDragDetWndClass
Hooking and other Techniques for Stealthness and Protection
AV process strings found: Binary or memory string: wireshark.exe
System Detection: Queries the cryptographic machine GUID / installation date / volume information

More about Asprox

Kimberly at StopMalvertising.com on asprox

Michal Ambroz at Rebus Snippets on asprox

Herrcore's post on asprox

What happens when Asprox has control of your computer?

Among other things:

  Your computer can be used to spam more people with malware.

  Your computer can be used to commit advertisement fraud.

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity