May29
10:29 am (UTC-7)   |   by Sheryll Tiauzon (Advanced Threats Researcher)

Over the weekend, we intercepted one particularly typical sample via our honeypots. The file we received was a Rich Text Format (RTF) document. Nothing new you might think and upon initial inspection nothing seemed out of the ordinary. However, further analysis of the file revealed that it actually contained a malicious executable file embedded within the document itslef.


Trend Micro already detects this as TROJ_ARTIEF.A


Upon execution of the said file, it drops an HTML component in the Windows TEMP folder. The HTML file is then injected into the process IEXPLORE.EXE so that it is opened in a hidden Internet Explorer window each time the user runs IE.


It also downloads a file from:

http://66.116.{BLOCKED}.202/cp/scripts/scripts/updater.exe

and saves it to your Windows TEMP folder using the filename UPDATE.EXE. As is uses the Adobe PDF icon, it tricks the user into thinking it is a non-malicious file. It even displays the following error message as part of its ploy.

errormsg.JPG

Below is a screenshot of the email containing the said attachment:

screenshot1.JPG

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Tuesday, May 29th, 2007 at 10:29 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



2 Responses to “Docs and more…”

Trackbacks

  1. Docs and more… | Talk Utopia
  2. » Docs and more… - Online computer & internet network security

Scammerâ??s Fund: Leaving No Stone Unturned Either
Getting Hitched with PE_DARKSNOW


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice