We recently received reports of a .doc file that have a very nasty macro inside, is being spammed in Russia.

The doc file once opened will install another trojan. This trojan is a downloader that then downloads and installs a Ransomware. We are currently looking into this and the appropriate solutions is being done.

Rest assure that Trend Micro is doing everything possible to speed up the process for our Russian friends and as usual.

I will update you on any developments regarding this matter.

Update(Obet, 07 June 2006 18:01:35)

Upon downloading and executing the ransomware, it encrypts files with certain extensions and will render these files unreadable. The ransomware will then drop the file readme.txt in the folder of the hijacked files as its ransom note. The note reads;

Some files are coded by RSA method.
To buy decoder mail: dfk82356@mail.ru
with subject: REPLY

Trend Micro detects the .doc file that arrives with the spammed email as W2KM_TORED.A and other trojan that is dropped by the Doc file is detected as TROJ_SMALL.AIT while the ransomware that is being downloaded by this trojan is detected as TROJ_PGPCODER.D.

The aforementioned malwares are detected using Control Pattern 3.484.02. To be protected from these malwares, you can now update your Trend products with the said pattern file version. Especially our russian friends who are targeted by this attack.