Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Patrick Estavillo (Threats Analyst)

    As early as 2006, Trend Micro already recognized the fact that the BlackBerry technology could be exploited by cybercriminals. The smartphone may have remained spared from malware attacks over the years although there have been recent news of a ZeuS variant specifically targeting BlackBerry users. As we have said in a recent post, banking Trojans are evolving and more sophisticated attacks involving smartphones are among the most recent developments.

    The ZeuS malware specifically targeting the BlackBerry OS is currently detected by Trend Micro as BBOS_ZITMO.B. Just like its desktop counterpart, this ZeuS variant does not display any graphical user interface (GUI) that can prompt users about the infection. Instead, it removes itself from the list of applications in order to effectively stay under the radar.

    Upon successful installation, it sends a confirmation message to the administrator to signal that it is ready to receive commands. It specifically sends the message, “App Installed OK,” to the U.K. number +447{BLOCKED}, as shown in the screenshot below.

    Click for larger view

    Read the rest of this entry »


    A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided.

    Avzhan bots install themselves onto the Windows system directory using the file name  {six random lower-case letters}.exe.

    After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

    This malware tries to connect to the following domains to receive instructions from botnet herders:

    • avzhan1.{BLOCKED}
    • ei0813.{BLOCKED}
    • wanmei8013.{BLOCKED}
    • xhsb.{BLOCKED}

    These domain names are registered on a well-known China-based dynamic DNS service. The IP addresses also lead to ISPs in China.

    As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems.

    In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

    • Computer name
    • CPU speed
    • Language used
    • Memory size
    • Windows version

    On their own, the behaviors of Azvhan bots do not differ too much from other older, more established malware families. However, its emergence highlights the continuing evolution of malware, as new threats continually present themselves over time.

    Though this malware is already proactively being detected by Trend Micro as Mal_Scar-1, some new variants are still being encountered though the number of new infections has significantly decreased.

    Hat tip to Arbor Networks for first writing about the discovery of this new bot here.


    Trend Micro received several reports of a spammed message containing a link that leads to the download of a malware detected as WORM_MEYLME.B. The spammed message bears the subject, “Here you have,” and informs users of a certain PDF document. When the users point to the URL, http://www.{BLOCKED} or http://www.{BLOCKED}, it indicates a different URL, http://{BLOCKED}, that consequently leads to the malware itself.

    Click for larger view

    When executed WORM_MEYLME.B terminates antivirus services and uses Messaging Application Protocol Interface (MAPI) to send out email messages with a link to a copy of itself. It also propagates via removable drives (e.g., USB drives). In addition, this malware forces affected systems to share several folders in the %Windows%System as {Computer Name}Updates. When executed, this malware connects to various malicious websites.

    Click for larger view Click for larger view

    Upon further investigation, we found that the malware used for this attack was just an unpacked version of a file that we already detected as WORM_AUTORUN.NAD. It is possible that the cybercriminals behind this attack got hold of the code for WORM_AUTORUN.NAD and modified it for their usage.

    We advise users to be wary of opening any unknown email and clicking any link. Trend Micro protects users from this attack via the Trend Micro™ Smart Protection Network™ that detects the malicious file and blocks all related malicious URLs.

    Analysis and screenshots provided by threat response engineer Jessa Dela Torre and threats analyst Edgardo Diaz, Jr.

    Update as of September 9, 2010 11:45 p.m. (UTC)

    According to threats analyst Edgardo Diaz, WORM_MEYLME.B creates several registries that disable security alerts and secure desktop prompting. Furthermore, it also downloads a backdoor detected by Trend Micro as BKDR_BIFROSE.SMU. Since the malware shares some System folders without the user’s knowledge, it will render the system vulnerable.

    Update as of September 10, 2010 1:26 a.m. (UTC)

    This attack also uses various spammed messages—one of which entices users with a free movie while another purports to be a job application letter. Both messages contain a link that when clicked leads to the download of the worm.

    The worm was also found trying to access users’ Yahoo! Messenger files. It is possible that WORM_MEYLME.B harvests Yahoo! Messenger IDs to send copies of itself.

    Click for larger view Click for larger view

    Update as of September 10, 2010 6:31 a.m. (UTC)

    Analysis reveals that WORM_MEYLME.B is capable of deleting security services but only after the services have been completely stopped from executing. It cannot, however, delete files associated with the services it attempts to delete.

    Update as of September 13, 2010 7:10 a.m. (UTC)

    WORM_MEYLME.B contains a Visual Basic script that performs its information theft routines. This script, which is embedded within the worm’s code, is now detected as VBS_MEYLME.B.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice