While filtering URLs from emails gathered with an email honey pot we came across mails containing URLs pointing to a file named “video.exe”. We assumed it to be a very obvious hint to possible malicious activity, so we decided to get our hands dirty and do some digging. Here’s a screenshot of the sample mail:

The URL behind the Watch hyperlink is a redirection made by doubleclick.net which is an advertising service. It seems that the file was moved from its server, causing the advertising service to make a redirection to certain Web sites that also host the file VIDEO.EXE. The said file is detected by Trend Micro as TROJ_NUWAR.ZJ.

So far we have seen two Web sites that seem to have been compromised to house the malicious file. The sites hxxp://infopointitalia.it and hxxp://escortsmurcia.com are the two sites affected, but it should be noted that visiting the sites won’t trigger infection; adding the filename VIDEO.EXE to the end of the URL however, will lead to trouble (users are warned that doing this will lead to possible malware infection). Owners of both affected Web sites had been informed of this, and as of this writing, the malicious file had been removed from hxxp://escortmurcia.com.

TROJ_NUWAR.ZJ installs itself as a service on the affected system and hooks the browser with a malicious BHO (browser helper object). In doing so, it is able to download a text file that contains several URLs related to porn and advertising Web sites. It also writes on text files found on the affected system words related to adult, pharmacy and finance Web content.

The trouble does not end there. When the user restarts the browser or the affected system, several annoying “spyware warning” symptoms start to appear:

A warning appears on the screen that their system if being infiltrated, prompting the installation of an antispyware application. A “Windows Security Center Warning” also appears on the taskbar, telling the user that their computer is running slowly due to malware activity. Here is a screenshot of the said warnings:

Another warning is shown through Internet Explorer, showing an image similar to Windows Security Center messages, telling the user that a possible spyware infection has been detected:

The desktop background image is changed to a picture of alarming color, made to rattle the user:

Task Manager is disabled by the malware, inabling the user from terminating the malware process. When the user gets desperate and finally tries to download the “AntiSpySpider” software to solve the issue, the user will find that the system is still infected.

Additionally, the initial redirection the advertising server does seem to make a connection to an other URL, hxxp://{BLOCKED}front.net/l.php?id=119.The URL leads to a download of a windows executable that is runtime encrypted. Playing around with the ids at the end of the URL leads to several other files that are binary different but of the same size and are triggering the heuristic detection TROJ_TIBS.JHT.

All files involved were already submitted to TrendLabs for detection.

The article is based on a joint research with Alice Decker.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!