We received a new sample of a trojan downloader attached to a spammed email. This spammed email used a pop star, Kylie Minogue, for its social engineering claiming that the said artist is dead due to a cancer. Below is an example of the spammed email.
We can see that there’s a hyperlink found in the email body that points to http://xxx.xxx.xxx.133/sp/kylie.htm. Upon visiting the said URL, we’ll see the following page:
Yeah, there’s another hyperlink that points to a binary file. The binary file is an exact copy of the trojan downloader attached to the spammed email. This is probably intended as another way of the malware to be executed by the affected user if the user opted not to open the attachment in the spammed email. The story of this malware does not end here as the said URL contains an iframe which points to another page containing an obfuscated page.
The page triggered my curiosity if it could be related to the TROJ_LINKOPTIM so I decided to un-obfuscate it. Here’s a snip of the code on the first attempt of un-obfuscation.
Then, to my surprise, it also used the “arguments.callee.toString()” function which is also being used in the TROJ_LINKOPTIM obfuscated pages. So I continue and after three more layers of un-obfuscating the page, I arrived at another iframe which opens another page (whew!!!).
This new page will again, download and execute a copy of the trojan downloader; at this point, we can say that this cannot be related to the Link Optimizer thingie. Note that the downloader was designed to have three ways of being executed on an affected system.
The author used “msxml2.XMLHTTP” and “adodb.stream” objects to download and execute the binary file into the affected user.
The trojan downloader will be detected as TROJ_DLOADR.ANR and the downloaded component will be detected as BKDR_AGENT.FBB. Disabling ActiveX in your web browser is recommended to be protected from attacks using ActiveX objects. You can also disable the “adodb.stream” object by following the procedures described here.