Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake email claiming to be a CV or resume from a girl who wins beauty contests and signs with kisses says photos are attached. Sadly, this is not the case.

Attached zip contains an exe virus or trojan horse.

Random junk headers?

This was one of the first "new model" Asprox trojan emails that started around December 2013. Asprox trojans are often called Kuluoz or Dofoil.


Subject:  Please look my CV

Subject: my documents and passport scans

Subject: Please look my CV. Thank you

Subject: My CV

 Hello,

I sent you my detailed CV.
I hope you will like me

I am the winner of different beauty contests.
My photos are added as images in the document,

I need this job very much.
Waiting for your soonest reply,

Kisses,
Dorothy Smith

My_CV_Please_Look_Job_ID2689.zip (115)

 

Good Day!

Let me introduce myself.
I am the winner of various beauty contests
and the most beautiful girl on the coast.

And I really want to get a job from you.
I attach my CV where you can find links to my accounts
in social networks and see my photos.

Kisses,
Ava Smith

My_CV_document_social networks_ photos_2379.zip (107)

Other names:

Dorothy Smith
Jessica Mason
Amelia Tailor
Isabella Tailor
Amelia Mason
Donna Mason

Header Examples:

I'm not sure what they are going for with the headers, but they went through the trouble of using the same domain in From headers, Envelope headers, and HELO. It is nice to see some pride in workmanship now and then.

Received: from betterbirthfoundation.com [74.7.215.137]
X-Envelope-From: job9138 @betterbirthfoundation.com
From: "Job agent" <job9138 @betterbirthfoundation.com>
Subject: my documents and passport scans

Received: from monroeproperties.com (37-229-160-179-broadband.kyivstar.net) [37.229.160.179]
X-Envelope-From: job3620 @monroeproperties.com
From: "Job agent" <job3620 @monroeproperties.com>
Subject: Please look my CV

Received: from doortodoorservice.com (rrcs-98-100-23-50.central.biz.rr.com) [98.100.23.50] X-Barracuda-Envelope-From: job0063 @doortodoorservice.com From: "Job agent" <job0063 @doortodoorservice.com> Subject: Please look my CV

Received: from blackbride.com (rrcs-50-74-176-226.nyc.biz.rr.com) [50.74.176.226] X-Envelope-From: job0664 @blackbride.com From: "Job agent" <job0664 @blackbride.com> Subject: Please look my CV. Thank you

Received: from rubensteinre.com (mail.callcampbell.com) [68.185.51.110] X-Envelope-From: job5921 @rubensteinre.com From: "Job agent" <job5921 @rubensteinre.com> Subject: documents and passport scans

Received: from sayco.com (cpe-67-250-114-28.hvc.res.rr.com) [67.250.114.28] X-Envelope-From: job4820 @sayco.com From: "Job agent" <job4820 @sayco.com> Subject: My CV

Attachment / Link Samples:

December 2013

My_CV_Please_Look_Job_ID2689.zip containing My_CV_document________________________________.exe

I kid you not, that is a bunch of underscores.

VirusTotal report 

Fortinet 		W32/Zbot.FG!tr 
Kaspersky UDS:DangerousObject.Multi.Generic
AhnLab-V3 Trojan/Win32.Kuluoz
Rising PE:Malware.FakeDOC@CV!1.9C3B
AVG Luhe.Fiha.A
Emsisoft Gen:Variant.Graftor.125242 (B)
BitDefender Gen:Variant.Graftor.125242
McAfee Artemis!EA83397E77E8

Malwr.com report 

Checks for the presence of known windows from debuggers and forensic tools

File-Analyzer.net report

Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\pdbhqjpk.exe
Data Obfuscation: Binary may include packed or encrypted data
HIPS / PFW / Operating System Protection Evasion
Anti Debugging
Virtual Machine: Binary or memory string: VBoxTray.exe VBoxService.exe VMware etc.
Hooking and other Techniques for Stealthness and Protection
AV process strings found: Binary or memory string: wireshark.exe
System Detection: Queries the volume information (name, serial number etc)

Another sample, with more network activity:

VirusTotal report  |  Malwr.com report 

17 February 2014

Around early February 2014, Asprox started padding all EXE's uniquely so that EVERY exe would hash different and would often scan as being a "new" trojan. So the trojan YOU scan may look different, but the basic purpose of the Asprox trojans are to gain control of the infected computer. For this reason, VirusTotal links are a little less useful here.

My_CV_document_social networks_ photos_2379.zip containing My_CV_document________________________.exe

VirusTotal report 

Ad-Aware 	Trojan.Agent.BBVE 	
Avast Win32:Malware-gen
Commtouch W32/Trojan.KVLN-4202
ESET-NOD32 a variant of Win32/Kryptik.BVHE
Emsisoft Trojan.Agent.BBVE (B)
F-Prot W32/Trojan3.HMT
GData Trojan.Agent.BBVE
Kaspersky Backdoor.Win32.Androm.bntz
Qihoo-360 Malware.QVM20.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3C
Sophos Mal/Zbot-PA
Symantec Suspicious.Cloud
VIPRE Trojan.Win32.Kuluoz.bb (v)

Malwr.com report 

File-Analyzer.net report

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\grumhvfm.exe
Binary may include packed or encrypted data
Checks for kernel debuggers
May tried to detect the virtual machine to hinder analysis
Binary or memory string: wireshark.exe
Queries the installation date of Windows

What happens when Asprox has control of your computer?

Among other things the computer can be used to:

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?