-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1120
        Fake Comcover emails claiming "Nonrefundable loan" contain
                           malicious attachments
                              4 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Fake Comcover Emails Contain Malicious Attachments
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
Member content until: Friday, December  4 2009

OVERVIEW

        AusCERT has received reports, and has observed malicious emails 
        currently in circulation pretending to be from Comcover. The malicious
        attachments currently have a very low detection rate among anti-virus
        products.


IMPACT

        AusCERT is in the process of analysing this trojan and has some limited
        information at this time.
        
        The attached document "support-form.doc" on the email contains an embedded
        executable which attempts to contact a remote source.
        
        Sophos has identified the attachment as Troj/Bifrose-ZB and has made the
        following statements regarding it's impact:
        
        "Troj/Bifrose-ZB attempts to connect to external websites, and may
        cause Internet Explorer to crash. If BOPS is enabled, Buffer Overflow
        warnings will be triggered.
        
        Members of the Bifrose family typically create a backdoor on an
        infected computer, allowing an attacker to connect to the computer
        from the Internet." [1]
        
        At time of writing only a very limited number of anti-virus products
        detect the attachment as malicious. System administrators may wish to
        check VirusTotal results to see if their anti-virus products detect
        this threat. [2]


DETAILS

        All of the reported and recieved emails to date have followed the 
        same format.
        
        --- BEGIN EMAIL SAMPLE ---
        
        From: "Comcover Gov" comcover@comcover.com.au
        
        Subject: Nonrefundable loan approved for your company!
        
        Dear Sir,
        
        Comcover - Insurance Solutions, Risk Management Strategies from the
        Better Australian Government Business, is contacting you to inform 
        you that you qualify for the $50,000.00 economical crisis support 
        for Australian privately-owned firms.
        
        We are providing this support to help the economy grow and avoid 
        economic shrinking.
        
        You do not need to pay anything upfront to receive the support 
        funds. This is a nonreturnable loan that we are glad we can provide
        at this difficult time to you.
        
        Please download and complete the form attached with the requested 
        information and send it back to us by FAX at 29700879 and in maximum
        3 working days we will contact you with the details you need to 
        receive the support loan.
        
        We are waiting for the completed form to be sent to us as soon as 
        possible.
        
        Thank you, The Australian Government - Comcover - Insurance 
        Solutions, Risk Management Strategies
        
        --- END EMAIL SAMPLE ---
        
        The attached file details:
        
        File name: support-form.doc MD5: 0aa09fd39fa6de972075c815333da9a4 
        SHA1: a6017cfa6abbefbb5211e9d2abf833fb66d06c0b
        
        The analyis AusCERT has peformed so far indicates that it connects 
        to 190.120.238.32 on port 80 but the traffic performed is not a 
        standard HTTP requests.
        
        The binary will copy itself as regscr32.exe to the system directory
        (eg: C:\WINDOWS\system32\). It will also create the following 
        registery keys to point to this binary:
        
          HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server Registry
        
          HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Server Registry
        
        An additional key is created:
        
          HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath
        
        Which will call the executable with an "s" option.
        
        The dropped executable regscr32.exe has the following checksums:
        
        MD5: e3f5a94e6431ad844724977ba391c0b7
        SHA1: 12297a506ec58f6ef4c12b9337bdd70662e17c91
        
        Analysis indicates that users running in a standard user or limited 
        user mode will likely be unaffected by this executable as it fails 
        to execute correctly.
        
        System administrators may wish to consider monitoring their proxy 
        logs for access to this IP, or blocking it completely.
        
        AusCERT will be looking to update this advisory with more 
        information as it becomes available.


REFERENCES

        [1] Sophos - Troj/Bifrose-ZB
            http://www.sophos.com/security/analyses/viruses-and-spyware/trojbifrosezb.html

        [2] VirusTotal results for support-form.doc
            http://www.virustotal.com/analisis/87165035a4e4395700580d2c3e66824e30e6e210c9fb5062d61b9360de48f77c-1257295756

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK8NhKNVH5XJJInbgRAm67AJ99s4HVvLN3n9t0eO8Bhvblo0JVzgCeNLew
L9Ar7+H1ld2k8CJHXthCnaQ=
=IUjg
-----END PGP SIGNATURE-----