04.14.13

Would you like some payment advice?

Sometimes, our customers (from various geographical areas) are getting fake emails from HSBC banking with such a subject.
The sender address may vary but this would be definitely spoofed email address.
And the text of the email’s body may vary, then the main purpose is to confuse the recipients.

For example: this is one of various possible ways that this email may look like:
Dear Sir/Madam
Upon your request, attached please find payment e-Advice for your reference.
Yours faithfully
HSBC
***************************************************************************
We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise to ask you to validate personal information such as your user ID, password, or account numbers. If you receive such a request, please call our Direct Financial Services hotline.
Please do not reply to this e-mail. Should you wish to contact us, please send your e-mail to [email protected] and we will respond to you.
Note: it is important that you do not provide your account or credit card numbers, or convey any confidential information or banking instructions, in your reply mail.
Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005 All rights reserved.
***************************************************************************

The worst part of these emails are their attachments.
Each email contains ZIP archive file “Payment_advice.zip” and this ZIP archive contains “Payment_advice.exe” executable file.
This file name may contains also randomized numbers, and may be as follows:
Payment Advice [randomized numbers].zip
Payment Advice [randomized number].exe
Payment Advice Ref[randomized numbers].zip
Payment Advice Ref[randomized numbers].exe
Payment receipt [randomized numbers].zip
Payment receipt [randomized numbers].exe
Payment notification id [randomized numbers].zip
Payment notification id [randomized numbers].exe

Obviously this file is malicious program, Trojan.
Total Defense Anti-Virus detects most of these Trojans as “Win32/Fareit Trojan” family.
If this file is executed, it will attempts to steal any valuable information from affected machine by sending it to remote server.
The information may be stolen from inputs to browser, specially: passwords and user names.
All browses are in this danger: Opera, Firefox, I Explorer, Chrome etc.

Win32/Fareit is huge family of Trojans that each member attempts to perform various attacks and various payloads on affected machine.
Most of the samples have backdoor abilities, they attempt to control infected computer remotely.
Most of them attempts to create the following registry keys:

HKEY_LOCAL_MACHINESOFTWAREClassesCLSID = [random characters].exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell = “[random characters].exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft PnD = “[random characters].exe” HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce = “[random characters].exe“
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRuncsrss = “[random characters].exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = [random characters].exe
HKEY_CURRENT_USERSOFTWAREWinRAR = “[random characters]”

The main problem to cure the system after infection is that those Trojans (in most of the cases) download and execute arbitrary files from various locations – different files with randomized file names may be downloaded and executed to %TEMP% folder of the Windows.
These executable files may belong to whole other malware families and it is always unclear what they will do to the system.

Best thing you can do is not to open “Payment advice” emails, but forward them email to us for investigation.
In any case, if you get suspicious emails or suspicious files, please consider to forward them to “[email protected]” for Total Defense full analysis of any future threats.