Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Security analysts mark a secret social events calendar in their heads for good reason. Malware writers have been known to launch offensives using timely celebratory-themed email messages to get users to click on links or open files. Nifty social engineering tricks like these also effectively distract users from the real action: Trojans getting a foot in the door (of target PCs). Independence Day, which is a day of fireworks, floats, and picnics for the United States, is no different.

    On the Storm-chasing front we were able to capture spam leveraging the Independence Day festivities, a few of which are shown below:

      Subject: Spectacular fireworks show
      Body: The best firework you’ve ever seen
      Subject: Independence Day firework broke all records
      Body: Fabulous Independence Day firework
      Subject: Long Live America
      Body: Celebrate with Pride

    Links contained in messages connect users to the following IP addresses:

    1. hxtp:// 66.{BLOCKED}.{BLOCKED}.222/
    2. hxtp:// 24.{BLOCKED}.{BLOCKED}.159/
    3. hxtp:// 67.{BLOCKED}.{BLOCKED}.202/
    4. hxtp:// 68.{BLOCKED}.{BLOCKED}.252/
    5. http:// 24.{BLOCKED}.{BLOCKED}.92/
    6. http:// 68.{BLOCKED}.{BLOCKED}.164/

    All except the last two of the listed IP addresses are unavailable as of this writing. Investigations by our threat researchers reveal that clicking on the links trigger the download of the files fireworks.exe-1 and fireworks.exe-2, both detected by Trend Micro as WORM_NUWAR.VQ.

    However, it seems not only Storm is keen on leveraging on the July 4 celebrations. Our threat researchers have seen a spammed email message that reads like so:

      From: E Greetings
      Subject: You just received an E-Greetings for the 4′th of july

      Body:
      Greeting

      Hello ,
      A Greeting Card for the 4′th of july is waiting for you at our virtual post office! You can
      pick up your postcard at the following web address:

      ptth:\www.{BLOCKED}ngs.com/u/view.php¿id=a0190313376667

      visit E-Greetings at ptth:\www.{BLOCKED}ngs.com//
      and enter your pickup code, which is: a0190313376e667

      (Your postcard will be available for 60 days.)

    Compulsive clickers will find themselves downloading a 800+ Kb Trojan named july.exe from malicious domain l-g.ro instead of the e-greet. We detect this file as TROJ_DROPPER.OAC. When this file is opened, it drops and extracts a temporary CAB file in the temp folder. The CAB contains dr.mrc and mirc.ini which are likewise malicious (IRC_ZAPCHAST.BI and Mal_Zap, respectively).
    It also dumps several non-malicious files in the same location. IRC_ZAPCHAST variants are a type of script that executes within an mIRC environment where a remote malicious user can issue certain commands on an affected PC, thereby compromising it.

    Users in the United States are advised to be wary of similarly-themed email messages they receive in their inboxes within and around the week of Independence Day celebrations. Trend Micro users are already protected from this threat because of the Smart Protection Network.

    Please stand by. We’ll give you updates on these malware’s final agenda. So far, we already block the malicious URLs and detect the dropper and IRC malware. Mal_Zap is a heuristic detection that flags files behaviorally and characteristically similar to IRC_ZAPCHAST variants. This is a proactive detection that protects Trend Micro customers even before we receive an actual sample of the file. Our threat engineers are also currently investigating the routines of WORM_NUWAR.VQ.

    UPDATED on 17 July 2008: TROJ_DROPPER.OAC drops IRC_ZAPCHAST.BI along with a spoofed mIRC v. 6.0.3.0, a list of servers, and a configuration file. The dropper executes the spoofed mIRC which loads the malcious script. The spoofed mIRC opens ports 6664 to 6667 to connect to a server. Since TROJ_DROPPER.OAC creates an autostart entry for the spoofed mIRC, the user does not need to have an IRC installed on the system or to be an IRC user to have this malware execute on the affected PC.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice