Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    An email is currently being spammed which gives news about Hurricane Katrina. However that link it provides is to a site containing an exploit detected as JS_PHEL.K.

    Upon viewing of the said site, an hta file named w.hta is downloaded to the system.

    W.HTA then drops the file C:fh4uh.exe which downloads and executes win32sbk.exe from this site http://zone.{blocked}/3/win32sbk.exe

    The file win32sbk.exe drops itself as smss.exe and then downloads and executes this file http://{blocked}.org/u/upd_0002.exe, which as of now is currently unavailable.

    The site also contains a link to an article about the ZOTOB WORM, which contains a download link for a Zotob Worm Removal Tool. This Zotob Worm Removal Tool is actually a upx packed copy of win32sbk.exe.

    All files have already been submitted to the service team. Hmmm…You get all that just from going to a website about a hurricane…

    Here’s a snapshot of a sample “Katrina Hurricane spam.”

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice