New virus pretending coming from La Poste (France) targetting French users

The originator of the email was NOT the official domain of La Poste. Here is the extract from MIME headers and contents (HTML stripped):

Delivered-To: *hidden*@gmail.com
Received: by 10.68.54.98 with SMTP id i2csp72104pbp;
        Wed, 23 Jan 2013 18:53:29 -0800 (PST)
X-Received: by 10.14.223.135 with SMTP id v7mr1256308eep.41.1358996008951;
        Wed, 23 Jan 2013 18:53:28 -0800 (PST)
Return-Path: <ervice@clinet.fr>
Received: from out.smtpout.orange.fr (out03.smtpout.orange.fr. [193.252.22.212])
        by mx.google.com with ESMTP id n5si39111788eeo.253.2013.01.23.18.53.28;
        Wed, 23 Jan 2013 18:53:28 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning ervice@clinet.fr does not designate 193.252.22.212 as permitted sender) client-ip=193.252.22.212;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning ervice@clinet.fr does not designate 193.252.22.212 as permitted sender) smtp.mail=ervice@clinet.fr
Received: from mwinb2k04.me-wanadoo.net ([10.223.3.78])
	by mwinf5d64 with ME
	id retU1k0061gzcpE03etURd; Thu, 24 Jan 2013 03:53:28 +0100
Received: by mwinb2k04.me-wanadoo.net (SMTP Server, from userid 1001)
	id 0C1A41406C; Thu, 24 Jan 2013 03:53:28 +0100 (CET)
Received: from mwinf5c24 (mwinf5c24.me-wanadoo.net [10.223.111.74])
	 by mwinb2k04 with LMTPA;
	 Thu, 24 Jan 2013 03:53:28 +0100
X-Sieve: CMU Sieve 2.3
Received: from slow.vmail.no ([193.75.16.12])
	by mwinf5c24 with ME
	id retF1k00p0Fd0ih01etT1e; Thu, 24 Jan 2013 03:53:27 +0100
X-bcc: *hidden*@wanadoo.fr
X-ME-engine: default
X-me-spamrating: 40.00
X-me-spamcause: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeehledrjeekgddutdcutefuodetggcurfhrohhfihhlvgemucfogfenuceurghilhhouhhtmecugedttdenucenucfhrhhomhepshgvrhhvihgtvgesvehhrhhonhhophhoshhtrdhfrhenucffohhmrghinhepghhonhhfrghrohhnrghuthhophgrshhsihhonhdrtghomhenucfjughrpefkhffvufhrffggtgfgsehhqheftddttddu
X-me-spamlevel: not-spam
Received: from pmx.vmail.no (pmx.vmail.no [193.75.16.11])
	by slow.vmail.no (slow1.isp.as2116.net) with ESMTP id F288D8F468
	for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:31 +0100 (CET)
Received: from pmx.vmail.no (localhost [127.0.0.1])
	by localhost (pmx8.isp.as2116.net) with SMTP id A6AF5670C4
	for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:21 +0100 (CET)
Received: from smtp.bluecom.no (smtp.bluecom.no [193.75.75.28])
	by pmx.vmail.no (pmx8.isp.as2116.net) with ESMTP id 695016666A
	for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:21 +0100 (CET)
Received: from clinet.fr (c0B9645C1.dhcp.as2116.net [193.69.150.11])
	by smtp.bluecom.no (Postfix) with ESMTP id D294E9C
	for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:20 +0100 (CET)
Message-ID: <20130124033617.279E56C44570F596@Chronopost.fr>
From: service@Chronopost.fr
To: *hidden*@wanadoo.fr
Subject: Suivi de votre colis.
Reply-To: ser@pmx.vmail.no
Date: 24 Jan 2013 03:36:17 +0100
MIME-Version: 1.0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Cher(e) client(e),

Chronopost vous informe que l'envoi de votre commande est disponible.

Point de retrait

Bureau de Poste

L'envoi sera disponible 7 ou 14 jours en fonction de votre produit, à compter de la date de mise à disposition. Au-delà, il sera retourné à l'expéditeur.

Une tierce personne peut venir retirer l'envoi à la place du destinataire. Pour ce faire, elle devra se présenter munie de :
sa carte d'identité
la pièce d'identité du destinataire
une procuration (papier libre ou avis de passage rempli au dos)
Vous pouvez trouver le suivi de cet envoi à tout moment en cliquant ici .
Nous vous remercions d'avoir choisi Chronopost.

Cordialement,
Votre Service Client Chronopost

It was an easy to detect FAKE alert as I was definitely not waiting for any delivery from any place

The Zip file contained was what the link “Cliquez ici” was pointing to:

http://chronopost.service.client.fr.gonfaronautopassion.com/Chronopost.Suivi colis .zip

The URL itself is definitely NOT La Poste.

So the domain gonfaronautopassion.com is infected !

New virus or worm or phishing (or anything it could be) was submitted to VirusTotal which found it was infected (detected by BitDefender):

https://www.virustotal.com/file/d1fb5807d69c92f265b9d1dd55b1955b69f45f19e401c82c9cb262bf34e7f7b5/analysis/

I have a copy of this zip file if Avast wants to inspect it, becauyse for now no tool actually detects it (I have NOT run the .exe file it contains). EDIT: I have submitted the .zip file to Avast

This worm installs a backdoor connected to the Tor network, controlled by Bots to execute random code on request. It is very harmful. It is also being distributed on the wild as a troyan by emails (in fact originated from bots running on hosts connected to this Tor network). It can execute arbitrary code on request, but most users would see that the worm will first do nothing else than waiting for commands, then it will start being used either to run a spambot to distribute various troyans and malwares by emails.

It seems related to a similar worm (Gen:Variant.Kazy.50365, alias “Win32:Cybota [Trj]” for Avast), from which it is a new variant:
https://www.virustotal.com/file/9f545abe899bb5dea8f6f8a2779d15c713d530f5a0afd0e8243bf3c6ad28a4e0/

Almost all variants of “Gen:Variant.Kazy.*” are also known to install a KEYLOGGER on the victim machine, in order to spy your passwords (notably on bank sites or sites with authorized payments with your credit card, like eBay and PayPal).

This is then definitely not a “Potentially Unwanted Program” like ClamAV says, It is much more dangerous than that.

EDIT: I’ve contacted the editors of the website running on www.gonfaronautopassion.com to verify and cleanup the contents of their DNS zone, as there’s evidence that the rogue subdomain was hijacked. They should better secure their DNS, and change the password to edit their DNS zone (because this password was visibly stolen by a keylogger or spyware running on the host used by one of the website editors)
I also instructed them to visit this forum page (as well as the page on virustotal) for more information

Now it is detected by:

  • BitDefender : Gen:Variant.Kazy.138010
  • Kaspersky : Trojware Trojan-Downloader.Win32.Andromeda.ppt
  • F-Secure : Gen:Variant.Kazy.138010

EDIT: Now also detected by:

  • DrWeb : BackDoor.Tordev.8 (so this worm installs an hidden backdoor on the PC to be controled by bots via the Tor network)
  • MicroWorld-eScan : Gen:Variant.Kazy.138010
  • Symantec : WS.Reputation.1

EDIT: Now also detected by

  • MalwareBytes Antimalware: Trojan.Downloader.ED (it only detects the extracted .exe, not the .zip file itself)

EDIT: Now detected by

  • Microsoft Security : HackTool:Win32/Keygen (updated with new heuristics)
    https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=HackTool%3AWin32%2FKeygen&ThreatID=-2147373502
    It seems that this hacker tool (alias “Keygen”, used to generate authorization keys to illegally “crack” protected softwares or medias) is also embedding the same worm ; ALMOST ALL “crack” sites are in fact used to propagate worms of various kinds. However the Microsoft detection tools are very poor at locating all of the variants proposed there : Microsoft should really monitor those “crack” sites as they are important vectors of infections of so many people, that are still not convinced that these cracks are not only illegal, but also dangerous for their own security, and harmful for the whole Internet network when they run various backdoors controled by criminal bots (just to spy on their passwords and steal money online on their bank accounts or in eBay and Paypal, or run spamwares that will flood mailboxes around the world).
    EDIT: Now Microsoft Security just replied it identifies it as
  • Microsoft Security : Worm:Win32/Gamarue.I (severe)
    see https://www.microsoft.com/security/portal/submission/submissionhistory.aspx?SubmissionId=a3095496-0da1-4f41-b640-baf600c072cd

ClamAV says “Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat”. In my opinion it is completely wrong. It was certainly not desired by the recipient, and notably not when it comes from a malicious domain (with fake email MIME headers, and with a link pointing on a rogue sub-domain name abusing the Chronopost trademark…) When anything shows multiple signs that the originator of an email is definitely NOT the effective sender and that the sender identity was abused, everything that comes from this source is NOT a “PUA”, but really an attempt to abuse people. I suspect this is just a temporary status fomr ClamAV, waiting for further inspection of this new threat.

I signaled it to Avast using its online form. I also signaled it to Microsoft Security:
Submission details :MMPC13012450232253
https://www.microsoft.com/security/portal/submission/submissionhistory.aspx?submissionid=911219DD-3EEB-4049-A571-CD005BD24D9E

EDIT: Now we have the detection by Avast. Thanks !

  • Avast : Win32:Malware-gen, EDIT now changed into: Win32:Trojan-gen (only detects the contained .exe file, not the .zip container, meaning that it will pass through email agents). Note that Avast now also detects the rogue subdomain name when following the link advertized in the troyan email, so people should no longer visit this site, but there are possibly tons of other rogue domains containing a copy of the same ZIP file).

EDIT: Now detected by

  • Panda : Trj/CI.A
  • GData : Gen:Variant.Kazy.138010

Now I will no longer keep this ZIP file, that I quarantine and delete (other antivirus tools will need to update themselves; I’ll stop monitoring now their updates).

EDIT: Now detected by:

  • AhnLab-V3 : Downloader/Win32.Andromeda
  • Comodo : UnclassifiedMalware
  • Fortinet : W32/Andromeda.PPT!tr.dldr
  • Ikarus : Trojan-Downloader.Win32.Andromeda
  • Kingsoft : VIRUS_UNKNOWN
  • TrendMicro-HouseCall : TROJ_GEN.F47V0124
  • VIPRE : Trojan.Win32.Generic!BT

So now 17/46 engines detect this.

Initially the trojan was not detected, first because it was not directly in emails, so only rogue domains hosting the zip file would be blocked by security suites.
Also because the trojan is zipped, and many antivirus kits do not scan zip files as they are downloaded, but only when you extract files from it (that’s why I’ve submitted to VirusTotal two versions of the virus : the .zip file itself, and the .exe file separately, to make sure it gets its own signature : the .exe is more easily detected)
Also because this exe file does not require initially any system provileges and uses a very basic subset of the Win32 API (so it passes the test of API calls). What it does is to decrypt another file on the host, dropping it in an unprivileged temporary folder, where it runs it without requesting any more privileges. Then this new program will decrypt another file that it will run : this is this new program that will install the backdoor and download a script from rogue domains (using the Tor network to find the URLs of commands to apply to the system, but only after waiting some time : initially the backdoor just waits for a while and does nothing on the system so it passes the security tests : only the UDP ports listening for incoming packets from rogue domains may be detected later, by some firewall solution : when it detects the incoming message it starts a connection via Tor to locate a more intrusive program, that will first request system privileges, using some known vulnerabilities of the Win32 API, that downloaded file does not pass through the normal HTTP API, the program implements its own downloader and protocol stack above UDP ; it seems that the malwares are distributed via a rogue P2P network that sends fragments from multiple sources).
The number of combinations used by the downloaded programs is explosive ! So the inspection by antivirus solutions is really complex as these programs are changing constantly and use various tricks trying to pass through inspections by various security suites. Finally it can get the system privileges and then it will start running its malicious actions using one or more of the downloaded malwares (keyloggers, spamwares, MS Office scripts, rootkits…)
For this reason, the various antivirous have difficulties to classify this virus threat and they give them various names : it is possible that not all inspections are matching the same thing. I think that the various Antivirus solutions should exchange what they find about the various tricks used. It seems that the technics used are the start of a new range of generic viral attacks with many more options, and that the current generic “Malware” classification used for now in Avast may be insufficient : there’s some evidence that this threat is the result of a collaboration from various malware authors, using various technics. They should cooperate to find the source of the malware generator and the sources of those that use this generator to write some tuning and extension scripts.
Any way the rogue P2P networks (running on infected PCs) should be monitored to find which messages are exchanged over it as it will be an interesting source for being informed of new variants (or funcational tests), or about who are being targetted.
For now all I can recommand is that you should never open any email alert without verifying its effective source and the effective domains hosting the URLs that these worms instruct you to click ! Here it was enough to see that the URL in the HTML was a trick trying to abuse the identity of Chronoposte / La Poste using a rogue domain name. Also inspected the MIME headers in received emails should reveal if its source is effectively from the source it pretends to come from (look at the LAST “Received:” header creatred by your own trusted email service provider and ignore all those that are inserted after them; don’ trust the “From:” header or the “Return-Path:” and “Reply-To:” headers)
If you are using Gmail, use the advanved option to look at the undecoded source code of the full email, to read these MIME headers (ignore the rest of the content). My opinion is that Gmail should offer a way to inspect these MIME headers more easily without having to decypher them ourselves from the complete email in MIME format).

- MalwareBytes Antimalware: Trojan.Downloader.ED (it only detects the extracted .exe, not the .zip file itself)
that is because malwarebytes does not scan compressed files

If you move the sample to virus chest manualy, then you can right click and send to avast lab at next auto/manual update