Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Yesterday, we blogged about WORM_MEYLME.B that sent various spammed messages containing bogus PDF documents and/or CVs. In just a few hours, the worm infected many users worldwide, proving the effectiveness of its social engineering tactic.

    Upon closer investigation, the spam campaign that we believe started around July 17 or even earlier, initially targeted human resource or administration email addresses in various companies and the military. The spam bore the subject, “MY CV,” and the message, “Hello, This is my CV. I hope I can Find a Job.” It also had a link pointing to the malware. From July 29 to August 3, it specifically targeted members of the African Union using the subject, “to af.union,” and the message, “I have worked in Human Rights Community and would like to work with you. This is my CV including my personal picture.” The URL in the email then redirects users to the malicious URL http://{BlOCKED}s.lycos.co.uk/iqreporters/Alicia_CV_Document_PDF.scr.

    As of this writing, Trend Micro has contacted the African Union but we haven’t received any response yet. Another thing to note is that a copy of the spammed message has also been sent to a certain iraq_resistance@yahoo.com email address. We are still looking into this as of the current time. Fortunately, it is good to know that the email address with the name “Alicia,” which was used to send the spammed messages has already been suspended.

    Click for larger view

    There are also some other things regarding this malware campaign that piqued our interest. As indicated above, this attack may have been initially targeted and is not really the resurgence of mass mailers, as some may be prone to believe. The intended attack may have gone haywire and infected others apart from the original intended victims because of its propagation routines (i.e., removable drives, network shares, email). Furthermore, unlike other typical mass mailers of bygone years, this worm shows more ominous criminal payloads in that it installs a backdoor detected as BKDR_BIFROSE.SMU and steals passwords used for browsers, instant-messaging apps, wireless keys, and remote desktop access, among others. Another thing is that WORM_MEYLME.B is similar to TROJ_ILOMO since it also propagates across the domain using re.exe (which is actually psexec.exe). Moreover, aside from the worm also being able to harvest Yahoo! Messenger contacts, which it uses for further propagation, this malware also rendered infected systems vulnerable because it made folders to be shared without the users’ consent.

    Click for larger view

    Trend Micro is able to break the infection chain early since it detects the spammed messages and all related malware and malicious URLs via the Smart Protection Network™. Trend Micro customers are also advised to upgrade to Titanium, as the list of service names that the malware is targeting do not include the service names Titanium uses! Finally, above everything else, users are strongly advised to change the passwords they use for the applications mentioned above and to be always cautious when opening unsolicited email messages, attachments, and links.

    Additional analysis provided by threats analyst Edgardo Diaz, Jr.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice