Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week. The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.
Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.
The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.
Below is a chart indicating observed telemetry of this trojan over a short period of time:
Image 1 – Chepvil telemetry
Nearly all of the attached files are named “United Parcel Service document.zip”.
The most prevalent SHA1s for the .ZIP attachment are: 0610CE22DF47B3D9C69DC63387705FD666C7205A 151755454A9D443A8A60996F3F1DC4E0C68A9B5D 2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873
The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are: 0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F 142E8b00AA24954f9A4AA2271B8A49C445B87587 DA65B7B277540B88918076949A28E8307AD7E41A
Our geographical data from our endpoint protection products show a heavy focus on the United States:
Image 2 – Chepvil telemetry by geography
Below is one example of a spammed message containing the Chepvil trojan.
Image 3 – Sample of Chepvil trojan attachment
MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.
- Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan