Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.

When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR.

The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.

Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.

We strongly urge you to regularly update your pattern files and scan your systems for malware and grayware. The Trend Micro Smart Protection Network already protects users from this kind of threat.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Issues surrounding the crash of Air France Flight 447 have not been fully resolved up to now but, it didn’t need be for cybercriminals; they’re already taking advantage of this tragedy too.

Through SEO poisoning, searches for reports related to the plane crash yield links that when opened trigger multiple redirections to various sites, which ultimately lead to download of rogue antivirus software.

The URLs shown above (Figure 2) are detected as follows:

• hxxp:// cnnnews2009.{BLOCKED}.com/french-airbus-crash.html – detected as HTML_REDIRECT.ED
• hxxp:// cnnnews2009.{BLOCKED}.com/images/menu.js – detected as JS_CRYPTED.HW
• hxxp:// {BLOCKED}ware-live-scanv3.com/1/?id=2022&smersh=8186a276d&back=%3DDQwxDDwNcQNMI%3DN/My computer Online Scan.htm detected as JS_FAKEAV.BIM

As of this writing the other URLs are inaccessible. On the other hand, the downloaded rogue antivirus Install_2022.exe is detected as TROJ_FAKEAV.BIM. Upon execution, it connects to a URL to download another file which is now detected as TROJ_YEKTEL.AA.

Upon execution, TROJ_YEKTEL.AA displays an installation prompt for a supposed antivirus application called Personal Antivirus. Should any user proceed with the installation, he or she will be greeted by a parade of malware detections supposedly found on their system. The said malware detections are fake, and are used to scare the user into getting a copy of the full version of the software—for a fee of course.

It is saddening to see cybercriminals trying to pull off one of these rogue antivirus schemes using most recent tragedies where so much mourning is involved.

Nonetheless, Trend Micro Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected respectively.