A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week. The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.
Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.
The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.
Below is a chart indicating observed telemetry of this trojan over a short period of time:
Image 1 – Chepvil telemetry
Nearly all of the attached files are named “United Parcel Service document.zip”.
The most prevalent SHA1s for the .ZIP attachment are:
The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
Our geographical data from our endpoint protection products show a heavy focus on the United States:
Image 2 – Chepvil telemetry by geography
Below is one example of a spammed message containing the Chepvil trojan.
Image 3 – Sample of Chepvil trojan attachment
MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.
– Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan