We received reports of a malware url link being spammed via email. The content of the email looks like a legitimate Symantec web site which is offering a virus cleaner tool for w32.aplore@mm. However, the hyperlink found in the supposed to be cleaner tool points to a malicious software
(http://westkoast.{blocked}.fr/norton/freevirusfix.exe).
We have forwarded this to the Service Team for detection and analysis. Standby for updates and for the time being, provided is a snapshot of the spammed email. BTW, all other hyperlinks found in the spammed email are legitimate except for the said cleaner tool.
Click on the image for a larger view.
Update(JoneZ, 05 May 2006 10:00:25)
Initial analysis of the malware:
- adds entries to the host that routes several antivirus sites and updates to incorrect ip addresses
- has keylogger feature
- DDOS capability
- Remote Command prompt via IRC
- possible data destruction
- can propagate via instant messenger
- drops a text file in the root folder containing the text : “rBot owned you!”
- Displays a message box: “VMM32.VXD: Missing/Unable to Load
BTW, this will be detected as WORM_RBOT.AHS.
