Yesterday I received a suspicious email with a attachment. The mail had subject line as:
Thank you for buying iTunes Gift Certificate!
I am a iPhone user and do have my account at Apple Store. Initially a thought came in my mind like whether somebody had hacked into my Apple Store account and done a online shopping on my name. Just as I went through the message content I realized its a mail sent by some malware using iTunes subject and message as with good social engineering technique. Quick Heal’s DNAScan did flashed a warning of attachment being suspicious and immediately quarantined it.
The email looked as follows:
From: “iTunes Online Store”
Subject: Thank you for buying iTunes Gift Certificate!
Date: Wed, 26 May 2010 09:42:07 +0100
You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50.00 will
be credited to your account, so you can start buying music, games,
video right away.
On carefully analyzing the attached file my suspicion was confirmed that it indeed was a new variant of Trojan.Bredolab that was being spammed to un-suspecting users through email attachment.
The Trojan made below changes on my Test PC. It modified the registry entry of WinLogon so that it can load in the system automatically.
and dropped a Trojan file in Temp folder. Upon execution it tried to reach out some server in Russia.
Quick Heal now detects and cleans this Trojan by the name Trojan.Bredolab, so Quick Heal users not to worry!