Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    TrendLabsSM received reports of a suspicious email claiming to be an IT notification. It informs users that their mailbox settings have been changed. This email has a .PDF attachment that supposedly contains instructions that the users need to read before updating their settings.

    This attack is similar to many we have seen previously purporting to come from a real sender and looking like a semilegitimate company notification.  Through this design, cybercriminals hope to make the malicious email more believable for recipients, enticing them to open the .PDF attachment. Here is a sample screenshot of the of one of the emails we received:

    Click for larger view

    There are some simple safe computing practices that can always be used when opening emails and executing attachments.

    • Always check who the email sender is.
    • Look for errors in messages.
    • Do not click embedded links.
    • Check attachments’ real extension names and never click executable files.

    The .PDF attachment is actually a malicious file Trend Micro detects as TROJ_PIDIEF.ZAC. When executed, this .PDF file calls on the embedded script batscript.vbs, which drops and executes a worm component named game.exe. The worm component also carries the rootkit file bp.sys to possibly hide its malicious routines and to prevent itself from being discovered by the user.

    These components are detected as follows:

    Ultimately, this threat tries to access an FTP server to possibly download other malicious files onto the affected system.

    TrendLabs engineers are currently working to provide a more detailed analysis of this threat. Updates will be provided shortly.

    Our in-the-cloud correlation engines quickly identified the multiple components of this attack to ensure the protection of Trend Micro customers.  Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to malicious URLs and blocks spammed messages through the Web and email reputation services. It also detects all malware related to this attack via the file reputation service.

    If you think your system may have already been infected, scan and clean your system with HouseCall, Trend Micro’s free online malware scanner.

    Update as of April 28, 2010, 5:30 p.m. (GMT +8:00):
    Other spam messages using similar social engineering techniques have been spotted. These contain a malicous attachment detected as TROJ_KATUSHA.F.

    Update as of April 30, 2010, 9:19 a.m. (GMT +8:00)
    Upon further analysis of WORM_EMOTI.A there was no longer any indication that the URL http://{BLOCKED}ason.com/lde/ld.php is an FTP site that resolves to HTTP. However, it may still access two additional URLs: http://{BLOCKED}isa.com/lde/ld.php and http://{BLOCKED}nss.com/lde/ld.php.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice