It looks like it’s a peaceful day for my shift. There isn’t much activity from the honeypot systems so I decided to look for some activity via mIRC. After visiting a couple of weird channels I received a private message containing a link blurred by some characters.
It’s obvious that the link can not be opened if I’ll double click it, so I tried to type the complete link into my web browser taking out the unnecessary characters. Here’s what I found out. The link provided is hosting a file named “video.exe”, all of the links referenced points to this file.
Something’s not right here, so I downloaded the file and have some “black box” testing. I found out that the downloaded file drops it’s components in the %windows%fonts directory. It dropped a sys file which hides the files dropped in the %windows%fonts folder. This sample is currently being processed; update regarding the malware name will follow.
As a reminder, users should not trust unsolicited link from known and unknown contacts. This will prevent the attack like the one mentioned above. Keep your pattern file updated to the latest version regularly.
Update(JoneZ, 19 March 2006 18:46:04)
Trend Micro will detect the sample as TROJ_MUDROP.GT. It drops several files and one of which is already detected as BKDR_KIRSUN.A.