Docs and more… | TrendLabs | Malware Blog

May29

by Sheryll Tiauzon (Advanced Threats Researcher)

Over the weekend, we intercepted one particularly typical sample via our honeypots. The file we received was a Rich Text Format (RTF) document. Nothing new you might think and upon initial inspection nothing seemed out of the ordinary. However, further analysis of the file revealed that it actually contained a malicious executable file embedded within the document itslef.

Trend Micro already detects this as TROJ_ARTIEF.A

Upon execution of the said file, it drops an HTML component in the Windows TEMP folder. The HTML file is then injected into the process IEXPLORE.EXE so that it is opened in a hidden Internet Explorer window each time the user runs IE.

It also downloads a file from:

http://66.116.{BLOCKED}.202/cp/scripts/scripts/updater.exe

and saves it to your Windows TEMP folder using the filename UPDATE.EXE. As is uses the Adobe PDF icon, it tricks the user into thinking it is a non-malicious file. It even displays the following error message as part of its ploy.

Below is a screenshot of the email containing the said attachment:

This entry was posted on Tuesday, May 29th, 2007 at 10:29 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.

2 Responses to “Docs and more…”

Docs and more… | Talk Utopia Says:
May 29th, 2007 at 1:03 am
[...] post by Sheryll Tiauzon Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]
» Docs and more… - Online computer & internet network security Says:
May 29th, 2007 at 4:20 am
[...] Read more at Sheryll Tiauzon [...]

Scammerâ??s Fund: Leaving No Stone Unturned Either

Getting Hitched with PE_DARKSNOW

M	T	W	T	F	S	S
« Sep
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

2 Responses to “Docs and more…”

Recent Posts

Subscribe by email

Calendar

Blogroll

Links

Follow us on Twitter

Videocast