FedEx email scam Trojan is back

Discussion in 'malware problems & news' started by Bob D, May 26, 2012.

Thread Status:
Not open for further replies.
  1. Bob D

    Bob D Registered Member

    I rarely receive spam, and it's been a long long time since I received one with a malware payload. But lately, I'm seeing a spate of these things.
    I do get frequent FedEx notifications, but these did not pass the "smell test" (my first line of malware defense).
    Attached innocuous appearing zip file contains an exe. Suspect it contains malware as described:
  2. Hey, I got that one too! That's the one that "broke" VirusTotal.

    I wonder what sort of trojan that is.
  3. Bob D

    Bob D Registered Member

    Suspect our addresses were harvested by some manner of malware on someone else's box. Perhaps a contact that you / I have in common (looking at you location).
  4. I have some info about the trojan now...

    - It is a fake AV, "Smart Fortress 2012."

    - It does not appear to install a rootkit, just runs from the application data folder for all users. The program running from the application data folder is apparently identical to the executable in the zip attachment.

    - It blocks browsers other than IE from starting. For IE it acts as a local proxy at port 1036. The proxy prevents you from browsing at all until you register Smart Fortress by giving your credit card number to the scammers.

    - It does not appear to run at all in Safe Mode.

    - Interestingly, IE works fine in safe mode despite the proxy setup, and the IE proxy settings appear unchanged. I guess it's setting up the proxy some other way?

    - It reports to an IP apparently located in Beijing. (PM me if you want the IP address.)

    - Other blocked applications include Gmer (with any file name), Process Explorer, and Process Monitor. Process Monitor appears to load its driver anyway, but the GUI won't appear. Command prompts are also blocked (well, sort of; it obviously lets them start and then kills them).

    - However, nothing is blocked unless the Smart Fortress tray icon is loaded. No icon -> everything runs.

    - Also, Online Armor (trial version) can block the scareware from executing on startup. It really does not look terribly advanced.

    In conclusion, it looks like a bog-standard fake AV...
  5. Daveski17

    Daveski17 Registered Member

    I've seen something similar, except there was no mention of FedEx. There was a link inviting me to check on the 'package' that had been delivered to the Post Office. I was suspicious for a variety of reasons, notwithstanding the weight of the 'package' wasn't in metric. According to VirusTotal it was a known trojan link.
Thread Status:
Not open for further replies.