Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    We all are familiar with IM worms and how they used different techniques in order to be downloaded and executed into a target machine.One of which is the WORM_SOHANAD (a.k.a worm_sohanat, worm_imaut, worm_autoit) which leverages on the MS06-014 MDAC vulnerability. There’s a previous blog entry regarding this malware here.

    Today, I would like to show another twist of the social engineering used by this malware. This time the malware utilizes a fake Google page (shown below) where the hyperlinks found in the page points to the same web page and also contains a link to the malware itself.

    sohanad.JPG

    As we can see on the web page, it says that we have to download an add-on which is actually a malware. Checking the source code of the page, we have three obfuscated scripts.

    ob1.JPG

    ob2.JPG

    Which when deobfuscated results to:

    d1.JPG

    d2.JPG

    d3.JPG

    The files “home.exe” and “zun.exe” are the same; Trend Micro already has detection as WORM_SOHANAT.CO while the other binary, “zin.exe”, is detected as WORM_VB.EIQ.

    Another to note is that it appends some entries into the target user’s “hosts” file. This will result into being redirected to the malware web page upon accessing the web site listed.

    host.bmp

    Malware authors constantly modify or add malware techniques in order for their malware to get executed into the vulnerable users’ machines. However, users can be able to secure themselves from threats like this by applying security patches and updating their anti-virus signatures.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice