{"id":72868,"date":"2010-05-24T07:25:55","date_gmt":"2010-05-24T07:25:55","guid":{"rendered":"https:\/\/localhost\/wordpress\/?p=72868"},"modified":"2010-05-24T07:25:55","modified_gmt":"2010-05-24T07:25:55","slug":"dhl-delivery-mail-lead-to-rogueware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/dhl-delivery-mail-lead-to-rogueware\/","title":{"rendered":"DHL Delivery Mail lead to Rogueware"},"content":{"rendered":"

Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it<\/p>\n

————————————————————————–
\nSubject: DHL Tracking number #1488883
\nFrom: xxxxxxxxxxxxxxxx
\nDate: Tue, May 24, 2010 10:09 am
\nTo: xxxxxxxxxxxxxx<\/p>\n

Good morning,<\/p>\n

We were not able to deliver postal package you sent on the 22nd May in time
\nbecause the recipient’s address is not correct.
\nPlease print out the invoice copy attached and collect the package at our
\noffice.<\/p>\n

Your personal manager: Dolly Gibson,
\nCustomer Service: 1-800-CALL-DHL
\nFax: 888-378-9347
\nDHL International, Ltd. All Rights Reserved.
\n————————————————————————–<\/p>\n

\"\"<\/p>\n

When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system<\/p>\n

[System32 Folder]pgsb.lto
\n[Current Profile Folder]Local SettingsTemp3.tmp<\/p>\n

In registry it added
\nHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe pgsb.lto csxyfxr”<\/p>\n

It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.<\/p>\n

\n
\"\"<\/div>\n
Fake message<\/div>\n<\/div>\n

We have released protection against this fake AV\/ Rogueware which is detected as Securityessentials2010.<\/p>\n","protected":false},"excerpt":{"rendered":"

Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it ————————————————————————– Subject: DHL Tracking number #1488883 From: xxxxxxxxxxxxxxxx Date: Tue, May 24, 2010 10:09 am To: xxxxxxxxxxxxxx Good morning, We were not able to deliver postal package you sent on the 22nd May in time because […]<\/p>\n","protected":false},"author":22,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-72868","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72868"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=72868"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72868\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=72868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=72868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=72868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}