Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Kathleen Notario (Threat Response Engineer)

    We encountered another LICAT variant that is spreading via fake Internal Revenue Service (IRS) spam to people from specific organizations, including Trend Micro. As you may recall, LICAT is known for using the dynamic domain generation algorithm (DGA) technique.

    The spammed message informs recipients about a certain issue with regard to their tax payments. It contains a link that supposedly leads to the recipients’ tax reviews. Once users click the link, they will be prompted to download an executable file, which, when executed, installs the malware now detected as TSPY_ZBOT.WHZ in their systems.

    Click for larger view

    Like any other LICAT variant, TSPY_ZBOT.WHZ generates URLs using a computation based on the current date. TSPY_ZBOT.WHZ connects to dynamically generated URLs in order to download its configuration file, which contains information on the sites that it will monitor as well as on the site to which it will send stolen information. This malware also appears to concentrate on the typical ZBOT routines that involve information theft and uses the DGA technique to evade blocking by antivirus products.

    Read the rest of this entry »


    The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections.

    TrendLabsSM engineers recently came across a Mebroot sample detected as TROJ_MEBROOT.SMC that installs itself in the following new but familiar way:

    1. The main executable drops a file in the %User Temp% directory.
    2. It executes regsvr32 /s using the timeSetEvent function.
    3. It copies the said file into the Print Processor directory as %System%spoolPRTPROCSW32X86{random number}.tmp.
    4. It then loads the file using API AddPrintProcessorA with the help of the
    5. It unloads the file using API DeletePrintProcessorA then deletes it.

    The routine is indeed familiar since this is how a TDSS malware installs other components onto users’ systems, the final payload of which is modifying the MBR by writing thousand of bytes of code and the malware’s image file. It then restarts the affected system by executing the command shutdown -r -f -t 0.

    By modifying the MBR, the malware automatically executes once the affected system is restarted. Its image file then sets off its other routines such as connecting and sending information to a randomly generated URL even if the user is not logged in to Windows.

    Upon restart, the malware will first connect to,, and Once successful, it then attempts to connect to servers as hard-coded domain names. Then it tries to connect to random-looking URLs generated using an algorithm based on the system’s time and date.

    It performs a couple of anti-detection techniques to hide its presence in the affected machine. One is by hooking onto the Windows file, atapi.sys, which is normally used as a driver for optical drives in order to hide on any disk-read function that may be done that can result in its detection. The other one is by hooking onto the network driver to hide itself from network sniffing tools, such as Wireshark and TCPView.

    The move to acquire other malware shows that Mebroot variants are becoming more creative in crafting techniques to infect users’ systems and to hide their routines. As such, it is possible for new variants and other malware families to team up in the future.

    Trend Micro product users need not worry, however, as Smart Protection Network™ already protects them from this threat by detecting and preventing the execution of TROJ_MEBROOT.SMC via the file reputation service.

    Additional text and in-depth analysis by Trend Micro advanced threat research engineer Ding Plazo


    Trend Micro came across a new FAKEAV variant that does not only perform the usual fake alert routine but also downloads an additional component—a .DLL file that is inserted into the Layered Service Provider (LSP) chain.

    By inserting itself into the LSP chain, the said .DLL file will be loaded whenever an application uses Windows Socket (Winsock). LSP technology is often exploited by malware. In this case, this FAKEAV’s purpose is to prevent Web browsers from accessing certain sites.

    The .DLL file’s code lists popularly accessed websites such as,, and, among others. When executed, it checks whether the application that loaded it was any of the following, after which it will start blocking sites:

    • iexplore.exe
    • firefox.exe
    • svchost.exe

    It replaces the HTML content of the accessed site with the one shown below.

    Click for larger view

    It will only allow the users access if the registry key, HKEY_CURRENT_USERSoftwareIS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system. Thus, this alert will continue to appear as long as the above FAKEAV variants have not been “installed” on the affected system.

    With this new technique, this malware tends to cause more panic for users, as accessing any of the mentioned sites will display a fake alert, making them believe that the site they are trying to access is indeed restricted. They will then be more likely to install any antivirus product and thus more inclined to ”install” and pay for the rogue antivirus.

    Trend Micro product users need not worry, however, as Smart Protection Network™ protects their systems from this threat by detecting and blocking the download of the malicious files onto their systems via the file reputation service. Non-Trend Micro product users can also stay protected via free tools like HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice