We’re receiving quite a number of attachments from IMSS with the following names:
- DanceFoto34.zip
- Foto_Dance1.zip
- Foto3(DANCE).zip
Yep, FYI. This will be detected as TROJ_DLOADER.CSX.
続きを読むWe’re receiving quite a number of attachments from IMSS with the following names:
Yep, FYI. This will be detected as TROJ_DLOADER.CSX.
続きを読むYes, I just have to come up with a witty title everytime.
So anyway, in my previous post, we’ve had Chinese, Portuguese, and bad english emails with malicious attachments. Here’s one with a Russian text:
However, we are still in the process of verifying if the text is a form of social engineering, or if it’s just some user asking about a file. I’m pretty sure this is a maliciously spammed email though, given the results of the wacky babelfish translation (although if anyone can translate this right away, do tell):
“Regards, 4 I today you await in guests, ring me before to go… By the way, in the archive of 4 zapokovala the necessary for you documents… There all itself you will understand, thus far. I await!”.
And the fact that the attachment is not password-protected and IS malicious.
And oh, CAB files are just another form of archive, and I believe this is the first time I’ve seen a (malicious) CAB archive being spammed, rather than the usual ZIP (or rar, although a bit uncommon. CAB files are rare I believe)
Update(JJ, 07 April 2006 22:38:43)
Subject:“Will you come to me today?”Today, complex rootkits are being utilized by malware authors. This is will make their malware harder to detect by AV scanners. A programmer, called tibbar, claims that he has developed a kernel mode IRC bot using kernel mode socket library recently released by Valerino.
I have used this library to create what I believe is the world’s first kernel mode ircbot. It’s extremely basic in its’ current form and will just join a channel plus responding to its’ name. But it is a framework that can be built upon and you could in theory write an extremely complex ircbot in this fashion.
This is a heads up and we may see this kind of malware in the near future. Recently, we have the authors of the Bagle incorporating rootkit in their malware and now we may see IRC Bots going kernel mode. The team will be on the lookout for possible malwares using the above mentioned technology. For now, just keep your pattern files up to date. =)
For the past weeks, we’ve had LOTS of little-ly(yes, there is such a word in my vocabulary) spammed trojans. No massive email spamming, just email messages in small doses, and with small targets.
Take for example these hand-picked advisories from the Email Honeypot:
TSPY_PERFLOG.L
Short and sweet. And with a typo. And of course, an executable attachment.
TROJ_DLOADER.CLE
This one is in.. portuguese?
“Talk for free with anyone you want, netphnoe, this service came to stay! Open the attached file and install now our product the first 500 minutes are for free!”
TROJ_SMALL.SY
Now this one attempts to make the target believe that the original email is from the user. Confused? Hmm… Let me try again. This one tries to make the target think that the email is a reply to an original email… Wait, here’s an email sample:
There, see what I mean? The “you wrote” part? Yes?
April 1 has come and gone, and we still haven’t seen an April Fool’s malware. Possibly because malware writers have grown tired of the subject already? and perhaps users are more aware (hopefully) this time around? And yes (on a totally different topic), April 3 is Nyxem/Grew/CME-24 time!
And here’s the latest stats from the Virus map
We’ve received an inquiry regarding an email message circulating the net about a worm that targets Hotmail, “which would cause heavy losses to company users when they log on to their Hotmail accounts to receive e-mails.”
The email quotes the Tianjin-based National Computer Virus Emergency Response Center as the source of this information, which, btw, we’ve already contacted. But for now, it’s sleeping-time in China, so updates tomorrow on this alleged Hotmail worm.
P.S. I’m not sure if they are referring to WORM_ATOMICKS.A
Update(JJ, 30 March 2006 14:32:23)
And quite surprisingly (or not), they were in fact referring to WORM_ATOMICKS.A.
The latest OPR 297 can detect them as WORM_ATOMICKS.A.Soon as I get back to my desk from a coffee break, I have noticed a number of samples in the email honeypot with the same MD5 hashes.
The email has the subject “Acts of terror in Washington” and pretending to be from CNN World News. The email acts as if it is based from FBI’s findings about the new acts of terrorism in Washington and convinces the recipient to download and execute the attachment.
The attachment is in zip format and has the name Washington.zip and contains a malicious executable file named, Washington.exe.
続きを読むAfter mails about the “Bird Flu” and Milosevic’s death now the people behind them came up with another idea…”Falling Dollar”. Yes they are now busying themselves with a “Falling dollar” Trojan run. Please be careful with the spam mails that have these subjects.
A .CGI link is seen there that will point to the recent IE 0-day exploit.
We are still advising users to be very cautious when clicking links. You wouldn’t really know just where it might take you.
We have just intercepted a number of spammed emails with the subject “Attention! New acts of terrorism in New York, Chicago and Las Vegas” and has the attachment name “Information.zip”. The current email contents and a previous incident (TSPY_FLECSIP.N) are the same except for the alleged new place of terrorism.
The malicious attachment with the MD5 hash of 3CA014361158C167AA1406840DA4CFFF has been given the detection name TROJ_SMALL.BOA.
Below is the actual email:
We are currently capturing lots of worms Mytob and Mydoom in our Email Honeypots.
The mytob worm is damaged but is still being spammed, it is now added to the detection for WORM_MYTOB.DAM.
The mydoom worm has already been passed to the service team and I have just received word that it will be detected as WORM_MYDOOM.BK.
続きを読む