A new TROJ_YABE variant is currently making the rounds in the net. We managed to get a copy of the sample email. Please see below.
The email is in German and since I dont read German, a babel fish translation of the email body is found below.
———————————————-eBay reference to changed E-Mail address
Dear eBay member,
Thank you for your request for change of your E-Mail address. The instruction guide how for account changing were sent to your new E-Mail address.
If the change of your email address wasn’t made by you then execute imediatelly the instruction described in the attached PDF document!
As soon as the procedure is finished, your emails from eBay will not be passed to this emails address anymore.
If you did not make this change, ask please first family members and other persons, evtl. Entrance to your member account have. If you believe you that an unauthorized person changed your email address then follow the instruction described in the attached PDF file.
Thank you,
eBay
———————————————-
As you probably may have already guessed this malware diguises itself as a pdf document in order to fool users to making them execute the attachment.
The email attachment is Ebay.pdf.exe with a pdf icon as shown below.
As part of its social engineering techniques, Ebay.pdf.exe pops up a message box that says an error has occured in Acrobat 6 making the user believe that the attachment is just a corrupted pdf file and not a trojan.
Unknown to the user, the file Ebay.pdf.exe has already connected to the internet and has downloaded a txt file from one either one of these locations:
- http://[BLOCKED].com/language/lang_english/lan.txt
- http://[BLOCKED]/more.txt
- http://[BLOCKED]ges/sidebar/f02.txt
- http://[BLOCKED]ix/Picture.txt
- http://[BLOCKED]b.com.pl/stat.txt
These txt files contain an encrypted copy of a URL of another trojan filenamed 6.exe which will be downloaded by Ebay.pdf.exe. This in turn drops a BHO spyware.
All files included in this blog has already been given to the service team for processing.