Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Nino Penoliar (Anti-spam Research Engineer)

    People say there is no such thing as a free lunch and as we recently found out that there’s no such thing as free supper either.

    We recently came across a spam run that uses a nonexistent promotion from the popular fast-food chain McDonald’s that tries to convince users to execute a malicious file.

    The spammed messages have been fashioned as invitations to “The Free Supper Day,” which will supposedly take place on June 29.

    Click for larger view Click for larger view

    The message tells the users to print the file found in a .ZIP file attachment, which is supposed to be the invitation that they must show the cash desk in order to avail of free food.

    Read the rest of this entry »


    The festive holiday season is a consistent cybercrime favorite because of the sheer number of shoppers that flood online shops during this period. Every year, as the number of holiday shoppers increase, so does the number and sophistication of cybercrime attacks. Just recently, we saw a slew of spammed messages emerge, a tell-tale sign that cybercriminals have already started targeting users with their holiday-themed attacks.

    Black Friday Spam

    First off, we have spam related to the upcoming Black Friday—the first Friday after Thanksgiving Day that marks one of the biggest sale events in the United States. It is also known as the busiest shopping day of the year. As expected, spammers used this as the subject of their latest malicious schemes. In a particular spam run, malicious users tried to lure victims into visiting a site that offers cheap sex-enhancement products.

    Click for larger view

    Christmas Spam

    Christmas is fast approaching and already spammers are taking advantage of this occasion to “spamvertise” their products. In a particular spam run, malicious users tried to lure unsuspecting victims into visiting a site that offers replica watches, bags, and jewelry for very low discounted prices.

    Click for larger view

    If previous years are any indication of the attacks users are expected to encounter this holiday season, it is safe to say that these attacks are only the beginning. We expect to see more of these threats, as the holiday season rolls in. As such, we urge users to be extra vigilant.


    Trend Micro threat analysts received samples of spammed messages purporting to have come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employ the balance checker tool attached to the email.

    Click Click

    When users open the attached .ZIP file, they will not find a balance checker tool but will instead get a malicious file (balancechecker.exe) detected by Trend Micro as TROJ_ZBOT.MYS. TROJ_ZBOT.MYS steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities that make detection and removal difficult.

    Users are strongly advised not to open any suspicious-looking email even it comes from a known source. It is also good to verify any email coming from your mobile service provider just to be sure if it is legitimate or not. Trend Micro protects users from this attack via the Trend Micro Smart Protection Network™ that detects and blocks spammed emails and malicious files.


    With Christmas just right around the corner, spammers are already flooding users’ inboxes with unwanted email. No surprises there. Spammers are known to exploit the holidays to further their malicious causes.

    Just recently, Trend Micro threat analysts found another spammed message that claimed to be a “replication specialist” and enticed users to buy replica products like watches, handbags, and jewelry at discounted prices.

    The email can bear any of the following subjects:

    • Better early than late
    • New models are here
    • Quantities are low
    • Reminder
    • Some supplies are low
    Click for larger view Click for larger view

    Morever, the email also encourages users to place their orders before November 1 because of limited supplies. Clicking the URL in the email message leads users to a fraudulent site that sells expensive imitation products. The email messages used various URLs though these pointed to the same landing page. As early as September, Trend Micro has already alerted users of holiday-themed spam.

    As usual, users are advised not to avail of any product from spammers. Trend Micro protects users from this attack through the Smart Protection Network. Non-Trend Micro products users can use free tools like eMail ID to stay secure.

    Posted in Spam | 1 TrackBack »

    As the controversy about Italian Prime Minister Silvio Berlusconi rises, spammers take advantage of the news to lure their victims to their malicious plots.

    The spammed mail claims to come from YouTube, but checking the domain of the sender reveals that it actually came from, and not from the real

    Figure 1. Notice the extra letters in the sender domain

    Below is the rough translation of the mail from Italian to English:

    Have you seen what combines our Chairman of the Silvio Berlusconi? You have followed your story on escort?
    Thanks to a journalist of LAW, we have the opportunity to see our premier while running along with the escort
    leaving little in the newspapers .. if you want to see them, and this link: http://you{BLOCKED}

    Below is the screenshot of the mail:

    Figure 2. Spam sample

    To view the said video, user must download and intall a video codec first. Upon clicking the link, it will download a malicious file named wmpcodec.exe. The spam mail is already detected in TMASE Full Pattern 6726, and all URLs are now blocked by Trend Micro. In addition, the malicious file is detected as WORM_KOLAB.DI.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice