Another round of spammed emails are arriving in users inboxes today. This round of emails have been socially engineered to trick users into thinking a package has been shipped on their behalf by DHL. The email contains a forged “From:” field pretending to originate from DHL.
The email scam contains two hyperlinks within the body of the message. Both hyperlinks “Get Shipment Info” and “Tracking Page” if clicked on direct the user to a malicious webpage where the Trojan, Trojan.Agent.asd will get downloaded.
Here is an example email:
Upon analysis of the Trojan, we have observed that the file drops files at the following locations-
%Application Data%\randomname_folder\randomename_file.exe
The following registry entry is also created on the system:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{alpha_numeric}="%Application Data%\randomname_folder\randomename_file.exe"
In addition, Trojan.Agent.asd also injects malicious code into six or seven different genuine processes.
The dropped files by Trojan.Agent.asd are polymorphic in nature (meaning every time you visit the same link you will get a different file).
In addition to updating the Thirtyseven4 Antivirus virus scanner for these threats and future similar threats, the Thirtyseven4 Browser Protection module will be immediately updated to block any future websites should this Trojan start attempting to reach malicious websites.
| 
