Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Miray Lozada (Technical Communications)

    The last notable Sohanad variant, WORM_SOHANAD.U, was detected last February. It rode on the popularity of the Windows Vista release for its social engineering tactic. The current Sohanad spreading in the wild, however, is using a more “classic” Sohanad trick. Detected late last May as WORM_SOHANAD.BO, this particular variant is propagating via instant messages in Vietnamese.


    Late last year when the shift in the threat landscape was just beginning to be accepted industry-wide, specialized threats like WORM_SOHANAD variants carrying Viet pop culture references and written in Vietnamese, of course, helped cement a distinguishing characteristic of the rising group of threats. This rising group is more target-specific. While they execute regular worm routines like propagation and backdoor capabilities, their social engineering tactics heralded the coming of more customized threats.

    This brings us back to WORM_SOHANAD.BO. It does the usual Sohanad tricks down to disabling Task Manager and Registry Editor. The appearance of another variant from this particular malware family seemingly promises to continue what previous variants have started, which makes sense for a family that figured considerably in the shaping of the current Web threat trend.

    Posted in Bad Sites | Comments Off on Sohanad’s Back to Its Old Tricks

    Hard-to-detect PE_VIRUT variants, with their entry point obscuring (EPO) techniques, created quite a buzz last April. Before PE_VIRUT stole the scene, however, there was another file infector that may not have made as much noise as PE_VIRUT, but had an infection routine that can rival Virut’s in its complexity. Detected in the wild last February, PE_DARKSNOW employs old, new, and borrowed tactics enough to keep threat analysts on their toes. Read more about this file infector here.


    2:57 am (UTC-7)   |    by

    Pirates of the Caribbean spun a yarn with Admiral Becket always being two steps behind the half-drunk swagger of Captain Jack Sparrow. This reel life is actually a very good metaphor of real life software piracy as pirates elude authorities–making bigwigs like Microsoft initiate efforts such as the Windows Genuine Advantage (WGA) in Windows XP and Vista. The bad guys are turning the tables though. A Trojan spyware detected by Trend Micro as TSPY_KARDPHISH.A is using WGA to phish for credit card information.

    Once installed on a system, it displays the following to to activate Windows:


    If the user clicks Yes, it then displays these fields to get the user to reveal credit card information:


    It gets nasty if the user doesn’t enter the required information because it shuts down the computer.

    This spyware technique is reminiscent of another spyware that hit systems early this month that also used a known Windows feature to steal personal finance-related infomation. Looks like malicious spyware have found a new window of opportunity in Windows.

    Spyware Ahoy!

    Posted in Bad Sites | Comments Off on Spyware Ahoy!

    Cellphones have evolved into being the proverbial nerve centers of our social (and even work) lives. The information they hold are virtual fingerprints of our interactions with other people, sensitive information that can be used against us if a malicious user gets hold of it. This scenario may not be too far off the mark.

    Trend Micro detects a spyware produced by Retina-X Studios as SPYW_RETRINAX.A (also known as WINCE_RETRINAX.A). This spyware is designed to run on Windows CE, the Microsoft OS for Pocket PC devices. It monitors calls and SMS/text messages sent and received by an affected user. The information it gathers are then sent to a server, where said data can be viewed later on. While this spyware is not a malicious application per se, it can be installed by someone with ill intent on a mobile device without the owner’s consent.

    This spyware is already included in the latest Trend Micro pattern files.


    12:03 pm (UTC-7)   |    by

    A Spanish instant message travelling via MSN Messenger promises an animation of, presumably, US President George Bush once the recipient links on the given link. Of course clicking the link downloads a copy of a worm detected by Trend Micro as WORM_KELVIR.EL.


    A typical IM worm, this worm sends the same message to all the contacts in an affected user’s MSN Messenger account.

    View the Trend Micro solution here.

    Posted in Bad Sites | Comments Off on See Bush Dance


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice