The Miss World 2006 beauty pageant will be held in Poland on September 30. Unlike other popular international beauty pageants, the Miss World beauty pageant has an interactive way of selecting the winner. Using SMS, people from around the world can vote for the contestant whom they consider to be the one worthy of the beauty title.
A new threat has taken advantage of the event’s unique way of choosing the winner. In another bout of social engineering, it employs the use of instant messaging applications as a distribution vector for the malware. Instant messenger users who are often online may have received the following message recently:
Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…
The message is followed by a URL that the unsuspecting user may expect to lead him to a site or webpage where he can vote for the candidate. Obviously, this does not happen at all. When the URL is accessed, the user is redirected to another website offering credit card debt consolidation, which has absolutely nothing to do with voting for the next Miss World. Here’s what the user didn’t know: when the link was accessed, it redirected to another site that downloaded a Trojan into the system. To cover-up the download, it redirected to another site that featured the credit card scheme. In that way, the user wouldn’t notice anything.
Unless he tried to open the task manager or the registry editor.
Initial analysis shows that this Trojan disables the task manager and the registry editor. Furthermore, Internet Explorer’s startup page is modified so instead of the user’s default web page being loaded when the browser is opened, the site where the malware originates is accessed instead.
Disabling these system applications are a common technique of most malware to hide themselves from computer-savvy users. Moreover, it prevents knowledgeable users from verifying if a malware is present in the system. Modifying the startup page in IE ensures that even if the malware is deleted or cleaned from the system, it still has a chance of reinstalling itself.
Fortunately, a solution is currently in the works for this threat. Trend will be detecting this malware as TROJ_AGENT.EVJ. We’ll update you once the detection pattern for this Trojan has been released.
Update (Jasper, Wed, 20 Sep 2006 09:55:05 AM)The detection pattern for this threat has already been deployed in CPR 3.764.01