Their worries just came true.
A newly-discovered variant of Breplibot drops the file “$sys$drv.exe” in the Windows system directory. This means, that for systems infected by the Sony rootkit, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit.
Aside from the Sony rootkit-exploiting feature, this new malware also targets a specific audience: the business people. The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her “picture” to be used for the December issue. Of course, this supposed picture is in fact the attached malware.
Here are sample emails:
This will be detected as BKDR_REPLIBOT.C
Update (Zobel, 10 November 2005 19:29:55)
As usual as a precautionary measure, scrutinize every email received especially those that have attachments with them. Do not be carried away with watever the email body is saying, no matter how good or flattering they may seem. And of course, keep those Antivirus Software (uhem… uhem from Trend I assume) always updated.
Update (JJ, 10 November 2005 23:49:08)
BKDR_REPLIBOT.C’s MD5 = ebe94809b68675feddfe2a2fa889f243
New sample’s MD5 = fdd2846919364301b7483c039a6a1ccd