New Malware Seeded in the Wild

We received a sample of a new malware being
seeded ITW. It uses a Microsoft Word icon and looks like a normal
document file. However, the sample has a MZ first two bytes instead
of the “D0 CF” making it a Portable Executable file. It’s quite
interesting to note that after the execution of the original file
it drops two files, hacker.asf and hacker.exe, in the %system%
directory and the original file will be a normal Microsoft Word Doc
file. The document has the text found in the seeded e-mail shown
below.


Shown is a sample e-mail received from reports:

Subject: Subject: RVT Environmental Qualification
Testing

Attachment: EnvQual.doc.exe

E-mail Body:


Mr. Mark Dellape

Purchasing

AAI Corporation

P.O. Box 153

Hunt Valley, MD 21030


Subject: RVT Environmental Qualification Testing


Dear Mark:


As DRS proceeds with RVT Environmental Qualification testing,
several issues have arisen and we wish to notify you of DRS actions
relative to those issues.


Solar load test. The RVT will be operational; however, the PCI
video option cards (611 and 616) will be non-operationalbecause of
the CDL driver thermal issue which has been brought to AAI’s
attention in Art Lowe’s letter, APL:04-0008:3711.


Transit drop and loose cargo tests. Both of these tests require a
transit case for the RVT unit. Mark Sullivan, DRS Engineer, has
requested a transit case from Bob Storke. At this time AAI has not
provided a transit case for testing. Therefore,DRS will use a
suitable transit case available here for the tests.


All of these actions are being taken in order to avoid schedule
impacts.


If you have any questions or comments, please contact Art Lowe,
Contracts Manager, at 321-727-3672, x3073.


Sincerely,



Lisa M. Farrall

Contracts Administrator

lfarrall@drs-ts.com



Update (JoneZ, 08 December 2005 10:12:52)
The attachment will be detected as
TROJ_AGENT.AKR while the dropped components, hacker.exe and
hacker.asf, will be detected as TROJ_PCCLIENT.CY.