Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Eric Avena (Technical Communications)

    NUWAR is at it again. It has tweaked its technique one more time.

    Last week, WORM_NUWAR.AOP was found arriving as a file contained in a password-protected ZIP archive, an attempt to evade file scanning. The password to the archive is in an image used as message body, an attempt to evade anti-spam technology. While NUWAR is known for its distinct social engineering schemes — either by using sensational email messages about war or love, or by using incredibly timely email details — WORM_NUWAR.AOP had an interesting scheme itself. It used email messages posing as a notification from an antivirus company. “Worm Detected!” the email message declared.

    Apart from the specific detection for the file within the archive, Trend Micro also detects the malicious password-protected ZIP file as WORM_NUWAR.ZIP.

    Now, a new NUWAR variant is making its rounds contained in a password-protected RAR archive. Detected by Trend Micro as WORM_NUWAR.AOS, the worm was spammed using email messages that continue what WORM_NUWAR.AOP started, albeit with a wider scope: the email messages now also declare “Virus Detected!” and “Spyware Detected”, among others. As with WORM_NUWAR.AOP, the message body is an image file. Trend Micro detects the malicious password-protected RAR archive as WORM_NUWAR.RAR. WORM_NUWAR.AOS, however, was clearly spammed, because it has a propagation routine of its own using email messages that NUWAR has been associated with — messages of love. “For You….My Love”, “I Love Thee”. Like several of its predecessors, on execution WORM_NUWAR.AOS drops NUWAR’s partner-in-crime, TROJ_SMALL.EDW, known for creating P2P-based connection between all affected computers, forming a link that ultimately assists NUWAR in its own pump-and-dump spam attack.

    With the release of WORM_NUWAR.AOS, it doesn’t look like NUWAR is letting up any time soon. In just a few months, it has shown an interesting pattern of social engineering tactics. Its authors seem to be always watching out for events to exploit, or, when there is none, they come up with a new tactic altogether.

    NUWAR is clearly a social engineering attack. Users are the primary target. Users should therefore be extra vigilant.


    Fancy animated icons and cursors? Those cute little elements that often come with desktop themes? Be careful the next time you download and use them, because an .ANI file was recently found to be not cute at all: it downloads a TROJ_SMALL variant. Here’s another reason why it’s not cute: to download the said Trojan, the malicious .ANI file, detected by Trend Micro as TROJ_ANICMOO.AX, exploits an undetermined vulnerability in Windows. A Web threat in its own right, the malicious .ANI file may be downloaded from the Internet, or may arrive embedded in HTML email messages. Trend Micro continues to analyze the malware and the vulnerability.

    Posted in Bad Sites | Comments Off on ‘MOO alert: New undetermined Windows vulnerability arrives via .ANI files

    8:21 am (UTC-7)   |    by

    Like those animated cursors? You know, the ones that embellish the normal mouse arrow pointers and are available on the Internet? Be careful when downloading and installing these on your systems, as a new Web threat has recently been detected posing as one.

    TrendLabs has recently detected TROJ_ANICMOO.AX, a Trojan that arrives as a specially crafted .ANI file — yes, the same file format used by these “tricked out” cursors — and takes advantage of a newly discovered vulnerability in the way Windows handles animated cursors. Once it successfully exploits this vulnerability, TROJ_ANICMOO.AX downloads another Trojan from the URL http://220.71.{BLOCKED}.189/wincf.exe. The downloaded malware is detected as TROJ_SMALL.DRF.

    Note that this malicious .ANI file may arrive as a file downloaded by unknowing users from the Internet. It may also be downloaded by HTML embedded in email messages. It only runs on Windows XP.

    As of this writing, Microsoft has yet to release a security patch for this vulnerability. Trend Micro thus advises users to regularly check the Microsoft Web site for the latest patches and updates, and avoid downloading or installing files — even if they do promise cute icons and cursors — from untrusted sources.

    Posted in Bad Sites | Comments Off on The .ANImated Trojan

    Barely three weeks into the new year, as the storm “Kyrill” ravaged over central Europe, another “storm” brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe’s most severe winter storm since 1999, with subject lines such as “230 dead as storm batters Europe”, among others.
    That is how TROJ_SMALL.EDW, arriving as attachment to the said email messages, came to be dubbed the “Storm” malware.

    But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack. To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.

    Posted in Bad Sites | Comments Off on FIRST HUGE ATTACK OF THE YEAR: The TROJ_SMALL.EDW-WORM_NUWAR.CQ Tandem

    While most threats limit file size (not only to evade easy detection, but to avoid possible problems in transmission), one Trojan spyware family has become (in)famous for arriving as big files. TSPY_DENUTARO’s use of big files is not a programming mistake. On the contrary, it has become a distinct technique, aiding DENUTARO’s pretense of being a media file.

    To complete the scam, most early variants use the Windows Media Player icon. They can be found in peer-to-peer networks and, with their attractive file names (notably in Japanese), are downloaded by unsuspecting users. DENUTARO is thus one of the growing number of threats that ride on the rising popularity of digital media and file sharing over the Internet, joining TROJ_ZLOB, among others.

    However, TSPY_DENUTARO, like any other persistent threat today, is changing. New variants discovered over the last few days now pretend to be screensaver files. One of these variants is TSPY_DENUTARO.DM. Notably, the file size is reduced considerably (though still much bigger than most threats), and they now use the WinZIP icon.

    Nevertheless, once executed on a system, these new variants perform the original family routine: they take a screenshot of the system and, along with the system’s hostname and IP address, upload it to a certain FTP site.

    New variants even continue a family tradition: they delete image, video, and archive files, and then, using the file names of deleted files, drop screenshots of Japanese anime with subtitles that seem to attack the illegal use of P2P sites, now matter how ironic that sounds. Images dropped by older variants have said “Are you enjoying committing illegal activities through P2P? If you don’t stop that, I will kill you.” The new variants’ images now say “So, you are still using Winny even after {the creator} lost in his case. I hate you guys.”

    This is in reference to the recent conviction of the creator of Winny, the most popular P2P application in Japan, for allegedly conspiring to commit copyright violation (arising from the earlier arrest of two Winny users who allegedly shared copyrighted material). The creator got overwhelming support from the computing community in Japan when he was arrested, calling the arrest wrongful.

    Apparently, the authors of TSPY_DENUTARO share the same sentiment. Whether this supports the Winny creator’s plea for innocence or further incriminates him, is not clear.

    Posted in Bad Sites | Comments Off on Movie Files Then, Screensavers Now


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice