We last posted about a Nurech run on February 19th using Ikea Deutchland as their supposed front. This time the Nurech gang is riding on 1&1, an Internet hosting provider. We have received reports of a large amount of e-mails in Germany.
It seems that the gang is monitoring the success of their trojan. As soon as the antivirus industry caught up with the first downloaded malware (Trojan-Spy.Win32.BZub.IJ), they changed it to another one. We detect the current downloaded file as Trojan-Spy:W32/BZub.IK.
The downloader itself (Trojan-Downloader:W32/Small.EJK) has been detected since morning with update 2007-03-23_02, detection of all known files thus far in 2007-03-23_03.
Here's an example of the spammed message:
Updated to add: Here's another example of text used in the spam with a translation provided by a German partner of ours.
Aktueller Sicherheitshinweis: ============================= Unbekannte haben Millionen von E-Mails versendet, die sich als Rechnungen der 1&1 Internet AG tarnen. Diese E-Mails versuchen den Rechner des Empf�ngers mit einem Virus zu infizieren. Ausschlie�lich solchen E-mails wie dieser k�nnen Sie vertrauen. �ffnen Sie keinesfalls in gef�lschten E-Mails angeh�ngten Dateien! Sie erkennen die Echtheit Ihrer 1&1 E-Mail-Rechnung an folgenden Merkmalen: - Sie erhalten echte Rechnungen immer als ZIP Dateien - Sie finden immer diesen Sicherheitshinweis darin
Security Advice!! ================= Unknown persons have send millions of e-mails, that stealth as invoices from 1&1 Internet AG. These e-mails try to infect the recipients computer with a virus. Only trust e-mails like this one! Never open an attachment in a faked e-mail! Original e-mails from 1&1 can be identified by - Real invoices are always sent in a ZIP - You will always find this security advice.