DHL Delivery Mail lead to Rogueware

Below mail landed in my mailbox today with an attachment, as curious user i went to check it

Subject: DHL Tracking number #1488883
From: xxxxxxxxxxxxxxxx
Date: Tue, May 24, 2010 10:09 am
To: xxxxxxxxxxxxxx

Good morning,

We were not able to deliver postal package you sent on the 22nd May in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our

Your personal manager: Dolly Gibson,
Customer Service: 1-800-CALL-DHL
Fax: 888-378-9347
DHL International, Ltd. All Rights Reserved.

When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system

[System32 Folder]pgsb.lto
[Current Profile Folder]Local SettingsTemp3.tmp

In registry it added
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe pgsb.lto csxyfxr”

It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.

Fake message

We have released protection against this fake AV/ Rogueware which is detected as Securityessentials2010.

Ranjeet Menon

Ranjeet Menon

No Comments, Be The First!

Your email address will not be published.