SPAM: Your BlackBerry ID has been created
 

Your BlackBerry ID has been created

Wer eine Mail mit dem Betreff "Your BlackBerry ID has been created"
erhält, sollte diese an uns weiterleiten.

From: donotreply@blackberry.com (gefälschter Absender)
Subject: Your BlackBerry ID has been created

Hello, You've created a BlackBerry ID! To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached fileBlackBerry ID is your universal BlackBerry key. Here's what it offers: One sign in for all BlackBerry applications, services, and websites.Automatic transfer of some email accounts and services when you switch smartphones. Full access to all features in BlackBerry App World™ storefront.Protection of financial transactions using BlackBerry services.You can learn more about BlackBerry ID by visiting This email has been automatically generated. Please do not reply to this email. If you have not previously indicated that you wish to receive emails from Research In Motion Limited and/or its affiliated companies regarding exclusive offers and updates about BlackBerry products and services and you would like to do so, please click here. Research In Motion Limited, 295 Phillip St., Waterloo, Ontario, Canada, N2L 3W82012 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world.


es hängt an:
BlackBerry Instructions.zip
Rund 33,4KB groß

Scanergebniss der Exe Datei:
2013-02-12 18:44:50 UTC ( 1 Minute ago )
https://www.virustotal.com/file/01f9...is/1360749093/
MD5: 8b1586afea7b0f3a7b47689b0864bea7
SHA1: 51a0214588ef6ad0c7082e8b1e8da3f0673ac992
Detect: 29 / 45

Win32/Inject.C!generic (TotalDefense)
Trojan.Generic.KD.857630 (MicroWorld-eScan)
Trojan.Generic.KD.857630 (nProtect)
Generic BackDoor.u (McAfee)
Trojan.Inject (Malwarebytes)
W32/Trojan3.ESZ (F-Prot)
Backdoor.Trojan (Symantec)
BKDR_ANDROM.JWS (TrendMicro-HouseCall)
Win32:Malware-gen (Avast)
Trojan.Win32.Inject.fbmn (Kaspersky)
Trojan.Generic.KD.857630 (BitDefender)
Troj/Inject-AEC (Sophos)
Heur.Suspicious (Comodo)
Trojan:W32/Zbot.BBGZ (F-Secure)
Trojan.Win32.Generic!BT (VIPRE)
Worm/Gamarue.EB.3 (AntiVir)
BKDR_ANDROM.JWS (TrendMicro)
Artemis!8B1586AFEA7B (McAfee-GW-Edition)
Win32.Troj.Generic.a.(kcloud) (Kingsoft)
Worm:Win32/Gamarue.I (Microsoft)
Trojan.Generic.KD.857630 (GData)
W32/Trojan3.ESZ (Commtouch)
ASD.Prevention (AhnLab-V3)
Backdoor.Trojan (PCTools)
Win32/TrojanDownloader.Wauchos.A (ESET-NOD32)
Suspicious (Rising)
Trojan-Spy.Zbot (Ikarus)
W32/Zbot.ANM!tr (Fortinet)
SHeur4.BASB (AVG)



Es handelt sich um den bereits bekannten: Backdoor.Andromeda.
Eine Kopie der Malware wird ins System gedroppt und über folgenen Registry Key gestartet:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"10006" C:\DOKUME~1\ALLUSE~1\LOCALS~1\Temp\msexxazmu.pif

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
"{EA1178B6-687E-CA32-BA95-58EB2E5E1C2E}"
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Oculq\segety.exe

Hierbei handelt es sich um einen Banking Trojaner (Zbot)
https://www.virustotal.com/file/e536...is/1360695724/
die Malware verbindet zu:

dudebox.pl/image.php

dyndin.ru/image.php

linebench.ru/image.php

petblog.pl/image.php

diese ist in der Lage, sensible Daten zu stehlen, und weitere Malware nachzuladen.

Bitte beachten!
- Wer eine solche, oder ähnliche verdächtige Mail erhält, möge diese an uns weiterleiten. http://markusg.trojaner-board.de
- Mails, die man erhält, immer gründlich lesen.
- wer den Anhang ausgeführt hat, bitte ein Thema hier im Forum eröffnen.