Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Maydalene Salvador (Anti-spam Research Engineer)

    The Trend Micro Content Security team discovered spoofed email messages that pretend to be from Delta Airlines. The fake email message contains a confirmation numbers of supposed ticket purchase and a ZIP file. Recipients are told that this said file contains details on the travel itinerary.

    Here’s a screenshot of a spammed message:

    Figure 1. Sample spam.

    The ZIP file is, of course, a malicious file detected by Trend Micro as TROJ_DELF.PSZ.

    Figure 2. Malicious file.

    The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats.

    This would not be the first time cybercriminals used airline tickets as bait. A fake American Airlines website was used for phishing late last year. The fact that airline tickets are relatively inexpensive now could also be a factor in the proliferation of these types of threats. Users may think they’re having a free vacation but in fact their PCs are already being infected with malware.

    The Trend Micro Smart Protection Network already blocks TROJ_DELF.PSZ and provides solutions for its cleanup and removal.

    Posted in Malware | 1 TrackBack »

    This is probably the type of support one wouldn’t want to have.

    Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware.
    Fake Windows Support spam
    Figure 1. Spammed messages purporting to come from Windows Support

    These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT.

    Downloaded malware
    Figure 2. User is prompted to download a malicious file

    TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information.

    Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages.

    Trend Micro users are protected from this attack by the Smart Protection Network, as the related files, spam, and URL are already detected and blocked.


    Orkut is a Google-owned social networking service with most users located in Brazil and India. It recently ranked 21st in’s top 25 social networking sites, with more than 5 million monthly visits in January of 2009.

    Now, much like the other social networking sites in the said list, Orkut is now also being used by cyber criminals to carry a malware that can compromise a victim’s computer.

    Spoofed emails which claim to be from Orkut inform the recipient that their account has been found fake and is doing illegal activities such as sending out spam to other Orkut members.

    Figure 1. Sample spammed message posing to be from Orkut

    Figure 2. A fake warning for Orkut users

    The first email translates to:

    Problems with your profile.

    Dear user,

    Your profile was reported to be containing illegal information, and will be blocked in the next 48 hours.

    You are probably using non-authorized or copyrighted information.

    To see all the information and instructions required to normalize your account, click here.

    This will be the last notification sent from our system, and in case you do not perform any required action, your profile will be blocked definitely.

    ATTENTION: your request will be analyzed by our team and will be subject for approval.

    To get more details about your profile, download the software below:

    The second:

    Problems with your account

    Dear user,

    We are receiving daily inquiries showing that your profile is fake, and is sending spam to other Orkut members.

    If you really do exist and would want to keep using Orkut, we require you to change your password and do a personal confirmation of your profile.

    Enable your profile:

    IMPORTANT: Your reactivation is due in the next 48 hours.


    Recipients are given 48 hours to and activate of their profile by clicking the given link. Upon clicking the link they will be redirected to a website where they are prompted to download a file which is found to be a malware detected as TROJ_DLOADER.WKV.

    Figure 3. Prompt to download the malicious file.

    TROJ_DLOADER.WKV terminates antivirus applications found present on the affected system. This routine is possibly done to prevent antivirus software from detecting files that this Trojan downloads from malicious URLs, which are inaccessible as of this writing.

    Either way, spammed messages such as the one shown above are already blocked, while malicious files are already detected, all through the Trend Micro Smart Protection Network.

    Here are a couple of past reports involving Orkut:

    Posted in Malware | 1 TrackBack »

    The conclusion of the recent holiday season didn’t stop cybercriminals from creating new spoofed promos to distribute malware, of course.

    Very much similar to the social-engineering campaign that used McDonald’s and Coca-Cola, yet another spam run that distributes malware was recently found by Trend Micro researchers.

    Popular brands such as IKEA, Jack Daniel’s, and British Airways were all used for this recent campaign. Spam emails are sent, promoting a coupon and instructing the recipient to open the attached coupon to cash in on savings. But instead of a coupon, the attachment actually contains malware that compromises the victim’s computer.

    Below are screenshots of sample spam emails with their corresponding attachments:

    Figure 1. The attachment for this spam is named ikea.exe.

    Figure 2. The attachment for this spam is named jackdaniels-coupon.exe.

    Figure 3. The attachment for this spam is named product-extention.exe.

    Figure 4. The attachment for this spam is namedbritishairways-coupon.exe.

    The Trend Micro Smart Protection Network provides users complete protection from this threat, with spam mails already blocked, and the malicious coupons detected as TROJ_DROPPER.FYU.


    Seems like McDonald’s and Coca-Cola are cybercriminals’ promoters of choice this season–two spoofed emails that claim to be from both of the highly popular brands were recently found by the Trend Micro Content Security Team.

    Each message trumpets a Christmas promotion, and instructs the recipient to open the attached coupon contained in a .ZIP file.

    Below are some sample screenshots:

    Figure 1. Spammed message purported to come from Coca Cola

    Figure 2. Attached file which supposedly contains information in the promo

    Figure 3. Another spammed message, this time purported to be from McDonald’s

    Figure 4. Attached file which poses as a coupon

    Trend Micro already blocks such messages, and detects both attached files through the Smart Protection Network as WORM_MYDOOM.CG. This worm gathers email addresses from the affected system’s Windows Address Book and then sends copies of itself via email, using its own SMTP engine. It also drops copies of itself in folders shared in peer-to-peer networks, as well as in all physical removable drives. Furthermore, it drops a file detected as BKDR_SDBOT.QB.

    This new twist in the way victims are lured into this scheme, which was initially seen just last week, strongly suggests that cber criminals are really getting their creative juices flowing, especially now that the holiday season is in full swing. On that note, users are advised to keep an eye out for these malicious schemes, and to not open unsolicited mails, as tempting as their offerings may be.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice