Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2012
    S M T W T F S
    « Nov   Jan »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December 17th, 2012




    As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files.

    We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

    When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.

    WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

    • 1pom.exe
    • 2pom.exe
    • 3pom.exe
    • 4pom.exe
    • 5pom.exe

    Read the rest of this entry »

     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice