Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    An email is currently being spammed which gives news about Hurricane Katrina. However that link it provides is to a site containing an exploit detected as JS_PHEL.K.



    Upon viewing of the said site, an hta file named w.hta is downloaded to the system.

    W.HTA then drops the file C:fh4uh.exe which downloads and executes win32sbk.exe from this site http://zone.{blocked}/3/win32sbk.exe

    The file win32sbk.exe drops itself as smss.exe and then downloads and executes this file http://{blocked}.org/u/upd_0002.exe, which as of now is currently unavailable.

    The site also contains a link to an article about the ZOTOB WORM, which contains a download link for a Zotob Worm Removal Tool. This Zotob Worm Removal Tool is actually a upx packed copy of win32sbk.exe.

    All files have already been submitted to the service team. Hmmm…You get all that just from going to a website about a hurricane…




    Here’s a snapshot of a sample “Katrina Hurricane spam.”








    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice