In an investigation conducted by TMIRT regarding WORM_NUWAR.BQ – the worm responsible for mailing copies of itself with e-mail details pertaining to a Nuclear War or President Bush is dead – we discovered that this malware is also made as a seeding point to create a spam zombie out of infected machines.

Aside from its mass-mailing capabilities, this worm also connects and downloads four files from 81.177.3.85. The downloaded files are component files used to download other files and updates, gather e-mail addresses, add the worm malware into RAR archives, act as a Trojan proxy, and an updated copy of the worm.

The most interesting part of the downloaded files are the component files that gather e-mail addresses and the Trojan proxy.

The component that gathers e-mail addresses not only gathers the addresses from files that are most possible to contains them (WAB, MSG, etc), but also sends the gathered addresses to 81.177.3.85! Now we’re talking about malwares harvesting valid e-mail addresses!

The Trojan proxy component on the other hand acts as an SMTP relay server, and guess what? This component is responsible for turning the infected machine into a spam zombie! Leaving port 25 open for incoming connections, we suddenly found our test system flooding with activity and sending out pump and dump spam as seen below!

Ever wondered who sends out those nasty spam? Well, your officemate, cousin, brother, or sister may be doing it for the spammers – for free!

*TrendLabs is conducting a more thorough investigation for this malware incident. A complete report will be posted online by our threat reporters.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

A new TROJ_YABE variant is currently making the rounds in the net. We managed to get a copy of the sample email. Please see below.

The email is in German and since I dont read German, a babel fish translation of the email body is found below.

eBay reference to changed E-Mail address
Dear eBay member,

Thank you for your request for change of your E-Mail address. The instruction guide how for account changing were sent to your new E-Mail address.

If the change of your email address wasn’t made by you then execute imediatelly the instruction described in the attached PDF document!

As soon as the procedure is finished, your emails from eBay will not be passed to this emails address anymore.

If you did not make this change, ask please first family members and other persons, evtl. Entrance to your member account have. If you believe you that an unauthorized person changed your email address then follow the instruction described in the attached PDF file.

Thank you,
eBay
———————————————-

As you probably may have already guessed this malware diguises itself as a pdf document in order to fool users to making them execute the attachment.

The email attachment is Ebay.pdf.exe with a pdf icon as shown below.

As part of its social engineering techniques, Ebay.pdf.exe pops up a message box that says an error has occured in Acrobat 6 making the user believe that the attachment is just a corrupted pdf file and not a trojan.

Unknown to the user, the file Ebay.pdf.exe has already connected to the internet and has downloaded a txt file from one either one of these locations:

• http://[BLOCKED].com/language/lang_english/lan.txt
  
• http://[BLOCKED]/more.txt
  
• http://[BLOCKED]ges/sidebar/f02.txt
  
• http://[BLOCKED]ix/Picture.txt
  
• http://[BLOCKED]b.com.pl/stat.txt

These txt files contain an encrypted copy of a URL of another trojan filenamed 6.exe which will be downloaded by Ebay.pdf.exe. This in turn drops a BHO spyware.

All files included in this blog has already been given to the service team for processing.