Since TROJ_YABE came around, it has targeted German customers of numerous companies/institutions like

• 1&1
  
• Wal-Mart
  
• GEZ

The latest in its growing list of victims is IKEA Home Shopping, a company selling Home Furnitures. The ammo and social engineering tactics used by this particular malware is actually the same with the other TROJ_YABE malwares from Germany. Sending an e-mail to unsuspecting users pretending to be a bill from IKEA.

Below is a sample of the e-mail used.



The attachment connects to different urls but ultimately downloads a file from http:// {block}.uk/11.exe. The other sites

• http:// {block}xas.com/images/index2.txt
  
• http:// {block}sert.org/images/photo_page/index2.txt
  
• http:// {block}club.com/Images/index.txt
  
• http:// {block}epairs.co.uk/Clocks/index.txt
  
• http:// {block}service.com.au/images/index.txt
  
• http:// {block}mages/dvd/index.txt
  
• http:// {block}fe.com/images/index2.txt

contains an obfuscated text of the download url of 11.exe. This file can either contain an updated copy of the trojan or just another DOWNLOADER slash AGENT slash YABE, it actually just depends on whatever the malicious person/s behind this targeted trojan attack wants. As of now, the latest CPR can now detect the e-mail attachment as TROJ_AGENT.IQN and the download file (11.exe) is detected as TROJ_AGENT.ISP. For customers, downloading the latest CPR can take away all your worries about this particular trojan, the URLs related to this malware has also already been blocked.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!