From December 2015 till Feb 2016 Net Protector labs witnessed a quite significant wave of emails carrying with them a zip file containing an malicious executable file

The common thing in all the emails was that the senders name (not the sender email address) appeared to be “Whatsapp” or “Facebook” .

In order to spread the rogue malware and infect computers, the cybercriminals are using multiple subject lines.

Some of the subjects used by the Malware are.

Subject: You recently got an audible message!
You have obtained a voice notification
An audio memo was missed.
A brief audio recording has been delivered!
A short vocal recording was obtained
A sound announcement has been received
You have a video announcement.
A brief video note got delivered.
You’ve recently got a vocal message.

The Bayrob is a SMTP mass mailer sending emails from the infected users PC to other users.

The payload is delivered in a zip file.

The extracted exe from the zip is usually name of a person like jack.exe or brent.exe and the malware is a variant of Bayrob, which once installed it allows backdoor access. This malware is polymorphic in nature.

Many other antivirus softwares were missing detection of the Bayrob email wave, and most did not provide realtime protection.

Once executed, it creates a random folder under C:\, where it drops several executables, also them with random alphanumeric names.

It then tries to resolve about 40/50 domain names (on average), most of which appeared to be not registered.

Net Protector customers and users are protected against this Family and many other similar family of Worms and Trojans.

Sharing is caring!