Apr23
12:33 pm (UTC-7)   |   by Jasper Pimentel (Advanced Threats Researcher)

German users received today a new sample of the YABE threat. The spammed email is sent in the name of Cleverbridge as a confirmation order of “Avira AntiVir PersonalEdition Premium”.

This new threat takes advantage of some legitimate entities to leverage its propagation. Avira is a local antivirus vendor (former HB-EDV). Cleverbridge is the e-commerce provider for Aviras AntiVir software.The new threat arrives as a zip (archive 595169.zip) Contained within the zip archive is the file HBEDV.Key.exe (size 2560 bytes), which is supposed to contain the â??license keyâ?? for the product but is actually the malware file itself.

On execution the file HBEDV.Key.exe connects to the site souljah.com and downloads another Trojan. The downloaded trojan has a 10 digit file name (117.976 bytes) and is placed in root folder. This Trojan drops the file ipv6monl.dll into the %system32% directory. This file is the spyware component of this threat. Trend Micro products already detect this component as TSPY_BZUB.IH. Furthermore, other files that are also related to the threat have been sent to the proper channels so that an appropriate solution can be deployed.


YabeAviraEd.jpg

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Monday, April 23rd, 2007 at 12:33 pm and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



Comments are closed.


97725.com is hosting malware!
Cruel Intentions


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice