Cellphones have evolved into being the proverbial nerve centers of our social (and even work) lives. The information they hold are virtual fingerprints of our interactions with other people, sensitive information that can be used against us if a malicious user gets hold of it. This scenario may not be too far off the mark.

Trend Micro detects a spyware produced by Retina-X Studios as SPYW_RETRINAX.A (also known as WINCE_RETRINAX.A). This spyware is designed to run on Windows CE, the Microsoft OS for Pocket PC devices. It monitors calls and SMS/text messages sent and received by an affected user. The information it gathers are then sent to a server, where said data can be viewed later on. While this spyware is not a malicious application per se, it can be installed by someone with ill intent on a mobile device without the owner’s consent.

This spyware is already included in the latest Trend Micro pattern files.

Just last March, TROJ_ANICMOO.AX made a name for itself by exploiting a vulnerability in the way Windows handles animated cursors. In the form of a malicious .ANI file, this Trojan is known to download other malware from certain URLs. Now, two months after its discovery, TROJ_ANICMOO.AX is still around, being hosted by malicious websites such as this one.

This particular site has been disabled by its hosting company because of the malware that it contains, among them TROJ_ANICMOO.AX. Aside from this malware, two more Trojans can be downloaded from this site: TSPY_LDPINCH.AHY (which is reputed to be a password stealer) and TROJ_AGENT.RZR.

The proliferation of sites with malware content is becoming the mainstream vector for malware distribution. Users are advised not to visit untrusted sites. As a security measure, users can use Google to search for the URL first, instead of directly accessing it. The search result (like the one illustrated above) is most likely to give you a heads up warning if it hosts malicious content or not.

At around 11 PM (GMT+8) yesterday, our e-mail honeypots started to capture a moderate amount of FEEBS malware. Below are two examples of how this FEEBS e-mail looks.

The e-mail subjects uses the phrase Your help is necessary and I have found a page about you as base subjects. The spammer then changes the spelling of the e-mail subjects, probably in an attempt to make e-mail blocking more difficult, so e-mail subjects will look like Your help is nceessary or I have found ap age about oyu instead.

All e-mail attachments arrive in .ZIP format and is commonly with the filename document.zip, mail.zip, message.zip, setup.zip, information.zip or data.zip. The archived FEEBS file however has various filenames and seems to be composed of random letters with random lengths.

Aside from the attachment file, the spammed e-mail also has a link to http://qu-a.nm.ru, which is at first glance, seems to be a pump and dump site.

However, clicking on Download GEO System link, the file setup.zip (containing setup.exe) will be downloaded.

Setup.exe pretends to be an installer file for bogus company QU-A Trading Systems, and gives the “option” to install using several languages.

To complete its guise, setup.exe displays an Installation Completed message box, but instead of installing a “Trading Systems” software, a copy of WORM_FEEBS and JS_FEEBS are installed.

As usual, we advise our beloved readers to NOT execute files or click on links coming from unsolicited e-mail.