Several Trojan downloaders are being spammed across email inboxes once again. These Trojans pose as picture file attachments and use a double extension and trailing characters to trick unsuspecting users into clicking the file. As of this writing, we have received 3 different samples of this malware:
Kodak_foto04.JPG….exe (MD5 Hash: 768c94b93fbdabde9480b022e1a56669)
Kodak_foto02.JPG….exe (MD5 Hash: 6b10fe30d303a91f133edb459f05609f)
Kodak_foto01.JPG….exe (MD5 Hash: 800ffd6c25a62ed694bf4410e35539f1)
Though they may have different MD5 hashes, these samples exhibit the same behavior. Initial analysis has shown that upon execution, the malware drops its components in the Windows system folder. It downloads a disguised SWF file that is known to exhibit rootkit behavior when installed in the affected system.
A solution has already been deployed for these threats. Trend is detecting all mentioned files as
TROJ_DLOADER.DSW using OPR 3.745.00.