TrendLabs received reports of malicious files that is being distributed via email to a target audience, particularly a small Chinese Internet community. According to SANS Internet Storm Center, the email message is written in Chinese.
“Clicking on the attachment does not actually do anything?? while it contains some dropper code, it appears to have been corrupted, or does not load correctly on our UK English test systems.”
Read more about the article here.
The attached file content.html opens and closes script tags immediately. Within the HTML body, it opens a Microsoft Spreadsheet object. The rest of the file is a Microsoft Word document in XML format. The following string also appears just in front of the Office document:
%u7468%u7074%u2F3A%u372F%u2E30%u3538%u322E%u2E35%u3731%u3A34%u3733%u3132%u312F%u652E%u6578
This translates into http://70.{BLOCKED}.174:3721/1.exe when decoded. Trend Micro detects the said HTML file as JS_AGENT.AAAA.
The executable file 1.exe, which is downloaded into the system as GALAI.EXE, is packed using BeRo. Trend Micro detects this as TROJ_DLOADER.UAM. Once executed, it opens an Internet browser window and plays the following YouTube video:
- http://www.youtube.com/{BLOCKED}?v=3h_kU7-B2vI
This video apparently shows clips related to the Chinese New Year. While this video is playing, it issues a DNS query for thechina.512j.com in the background. This currently resolves to an IP address that is hosted at a certain Chinese internet cafe. From there, it attempts to retrieve a file msss.exe. However, this file is no longer available from the download site.
Although this malware is targeted to a select community, users are warned of the said email and are advised not to click on links within email messages, even if they seem to have come from a trusted source.
Data provided by Maarten Van Horenbeeck of SANS Internet Storm Center. Additional information provided by Trend Senior Threat Researcher Ivan Macalintal.
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
