A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Image 1 – Chepvil telemetry

 

Nearly all of the attached files are named “United Parcel Service document.zip”.

The most prevalent SHA1s for the .ZIP attachment are:
0610CE22DF47B3D9C69DC63387705FD666C7205A
151755454A9D443A8A60996F3F1DC4E0C68A9B5D
2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F
142E8b00AA24954f9A4AA2271B8A49C445B87587
DA65B7B277540B88918076949A28E8307AD7E41A

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Image 2 – Chepvil telemetry by geography

 

Below is one example of a spammed message containing the Chepvil trojan.

 

Image 3 – Sample of Chepvil trojan attachment

Image 3 – Sample of Chepvil trojan attachment

 

MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.

 

- Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan