Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Gmail downtime message
    The Gmail downtime experienced today may have caused a nasty ruckus by frustrated users, but unknown to these users is an issue bigger than not being able to access email messages.

    In the midst of the commotion brought about by the outage lasting only a few hours, cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users.

    During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. Trend Micro Researcher Loucif Kharouni reports that the said page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. But what’s more dangerous is that links in the said webpage lead to malicious files.


    Figure 1. Google Group website set up to distribute malware


    Figure 2. Malicious links found on the Gmail down Googe Group webpage

    The link Really young good looking teenager-547b4.html redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. Kharouni reported that TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.


    Figure 3. A sample query for Trend Micro


    Figure 4. The website displayed when clicking the first result

    The second URL, hxxp:// {BLOCKED}cktube.com/new/n/Exclusive+Free+porno/3913744, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. Our researchers are currently analyzing this file to determine its routines.

    On the other hand, the link The Dark Knight torrent.zip leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files:

  • c:autoexec.bat
  • c:boot.ini
  • c:ntldr
  • c:windowswin.ini

    It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.

    The said Google Group was already deleted, and was reported up for about 25 minutes. Meanwhile, all malicious links are already blocked through the Smart Protection Network (in fact, one of the domains in this incident is already tagged as malicious even prior to today).

    This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.

    Update as of February 26 2009, 2:00 AM PST
    Analysis by Trend Micro researchers reveal that TROJ_AGENT.FAKZ installs itself as s BHO on the affected system, and when executed connects to the Internet and displays the following website through Internet Explorer.

    website
    Figure 5. Displayed instance of Internet Explorer

    Clicking the Download Free Movie link displays the following message.

    rogue
    Figure 6. Displayed instance of Internet Explorer

    Clicking either Yes or No on the dialog box redirects the user to a URL to download a rogue AV detected as TROJ_FAKEAV.ANI.

    Furthermore, the BAT file contained in the The Dark Knight torrent.zip link is now detected as BAT_DELWIN.AA. Below are screenshots of the previously mentioned messages displayed after the execution of this malware.

    displayed
    Figure 7.First message box

    displayed
    Figure 8.Second message box





  • Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice