Just an FYI, we are currently being spammed with emails containing a trojan as an attachment.
The attachment name is New_Folder_01NOV2006.rar, you can begin filtering this out on your systems for proactive protections.
I have to say, the social engineering tactics made by the malware author to fool users into executing the attachment is above standards, so customers will have to be extra careful to keep them from being fooled.
The contents of New_Folder_01NOV2006.rar are shown below
As you can see, there are two objects
- New Folder – an actual folder (nothing to it)
- New Folder_01NOV2006(215 SPACES).exe (an exe file with a folder icon, the 215 spaces is there to fool users into thinking that it is not an exe file. This is the same logic used by worms like WORM_MYTOB.)
I can only guess that the folder “New Folder” is inside the archive for more social engineering. As the user extracts the files from the archive, he clicks on “New Folder” which will open as a folder as it really is one. Raising the chances of the user clicking New Folder_01NOV2006(215 SPACES).exe under the assumption that it is a folder too.
The exe file has already been given to the service team for detection and has been given the name TROJ_DLOADER.HAP.
Again with good social engineering TROJ_DLOADER.HAP downloads http://www.[blocked]nrg.org/tmp/about.html, making anyone watching the network think that the file downloaded is just an html file when it actually is an exe file which will be downloaded as iexplore.exe in your C: directory.
The great thing is that this is already detected by Trend as TROJ_DLOADER.FUO.
From TROJ_DLOADER.FUO begins a stream of downloads ultimately ending in phishing attempts on several banks.
Here is a list of files that were downloaded beginning with TROJ_DLOADER.FUO, all files come from a single ip address.
- http://[blocked]/ieschedule.exe (TROJ_DLOADER.FUX)
- http://[blocked]/ib14.dll (TSPY_VB.BRF)
- http://[blocked]/smss.exe (TROJ_DELF.DSJ)
- http://[blocked]/iexplore.exe (TROJ_DLOADER.FUO)
- http://[blocked]/ieserver.exe (TROJ_DELF.DSH)
- http://[blocked]/dsrss.exe (TROJ_DELF.DSF)
- http://[blocked]/preredir.exe (TROJ_DELF.DSI)
- http://[blocked]/ieredir.exe (TROJ_DELF.DSG)
All files except for ib14.dll (TSPY_VB.BRF) have an internet explorer icon, another social engineering tactic which will elevate the chances of a user executing the file.
Although it is great to note, that all malwares used by TROJ_DLOADER.HAP have all been previously detected by Trend Micro. The URLs of the files have also been given to the url blocking team.
With all the social engineering tactics that has been used by these malwares, it is important for users to be more vigilant and make sure to only execute files that are known to be good.
More and more of these cases are showing up. Different malwares working together for profit just like the case with TROJ_LINKOPTIM. We are continually seeing this trend on malwares. No more fast spreading worms but trojans downloading trojans ultimately leading to profit by the malware author.