Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Mayee Corpin (Technical Communications)

    It has been almost four months since Valentine’s Day, but tell that to the Storm malware authors. TrendLabs Content Security has seen a new trickle of Storm-related spam, again hewing to themes of love and romance. Perhaps said authors believe this run will be a runaway success, since June is widely held as the most popular month for weddings?

    As samples of these email messages show above, email subjects read “Stand by my side,” “I want to be with you,” and “Lucky to have you”—simple statements dripping with sincerity, or so spammers hope, to get unsuspecting users hooked.

    The said subject lines differ from the one-liners that make up the message body, alongside malicious IP addresses that don’t bother to ask users to click on them. But if the curious do click on these, they are redirected to the following site:

    This is where they are then asked to “click here” and choose “Open” or “Run”—but not before they are made to read teasers hinting of secret admirers: “Who is loving you? Do you want to know?”

    And if they dare to find out, the “secret admirer” turns out to be a file named LOVEYOU.EXE, which Trend Micro detects as WORM_NUWAR.BC.

    Heart-related themes have been used time and again as spam baits. Because of its popularity, this is a theme that will probably last a lifetime, if users continue to fall for its schemes. The earliest such Storm variant, as written by Threats Analyst Robert McArdle, used a long list of girls’ names, perhaps to target men. Of course, Storm also made its presence felt around Valentine’s this year, with a spam run that led to a cutesy Web site where WORM_NUWAR.AR could be downloaded. In fact, as early as January, Storm was already spamming out some love.

    Posted in Spam | Comments Off on Storm Still Meddles in Matters of the Heart

    We’ve seen all sorts of stuff being advertised by spam, from the salacious to the more innocent. Falling into this latter category is a recent type of spammed email message that our spam traps have caught: those advertising free screensavers (as shown below).

    That may not sound harmful at all, but when one clicks on the link within the message, he/she is led to a Web site that entices him/her to download a free screensaver. Here’s a screenshot of the said site:

    Again, there’s no harm in that, right? Wrong.

    When a user chooses to download a screensaver from those offered by the legitimate-looking site, he/she is actually downloading a malicious file onto his/her system.

    The said file is detected by Trend Micro as WORM_SOCKS.D.

    Information and screenshots provided by Content Security Team

    Posted in Bad Sites, Malware, Spam | Comments Off on Screensaver Equals Worm

    TrendLabs has gotten word that the official Web site of Swedish rock band The Hives, hxxp://, got hacked. This attack coincides with the US leg of the band’s ongoing tour before they move on to the UK next month. The compromised site incidentally provides tour dates.

    An iFrame was found to be inserted into the page, pointing to another page that redirects to hxxp:// This URL hosts a malicious JavaScript detected as JS_PSYME.FE, which then tries to install TROJ_DROPPER.ALS.

    TrendLabs anti-malware engineers have downloaded the HTML file where the malicious iFrame was inserted. This HTML file with the malicious iFrame is now detected as HTML_IFRAME.JF.

    Trend Micro also now detects the file downloaded from the URL hxxp:// as TROJ_SMALL.AYR, which installs a host of other malware detected as TROJ_RENOS.LA, TROJ_AGENT.AEUM, and TROJ_WANTVI.E.

    As if those malicious scripts and Trojans were not enough, this malware also downloads an adware detected as ADW_REANIMATOR from the following site:

    • hxxp://

    By virtue of their popularity, music bands are almost a given as effective tools for social engineering. As has been seen last November, pianist and singer Alicia Keys’ MySpace Web page was compromised; a background image was injected into it and redirected to malicious sites supposedly located in China. Users were then prompted to download a fake video codec — actually a ZLOB Trojan.

    Trend Micro strongly encourages you to update your pattern files regularly. It will protect you from the latest as well as old malware threats.

    Image courtesy of

    Note from Paul Ferguson, Advanced Threats Research: We love The Hives. We just hate malware & cyber criminals.


    Looks can be deceiving, and the face of cyber crime is getting fresher and fresher. Young computer whizzes lured to the dark side are still very much active, as proven by news that a teen hacker—all of 18 years old—was nabbed in the worldwide effort to put botnet masters behind bars.

    Owen Thorn Walker of New Zealand, who used the handle “AKILL,” reportedly masterminded a group operating a botnet that has caused losses of $20 million, according to Techworld. Their botnet has allegedly compromised 1.3 million systems to collect credit card information and manipulate stock trades.

    Walker stands to face 10 years in jail if proven guilty. Local New Zeland police worked hand in hand with the FBI, US Secret Service and Dutch authorities in the investigation, according to The New Zealand Herald.

    Teen hackers are hogging the news of late, but the good news is, the international community is on to them. The most recent botnet gang that was caught and which police have dubbed the largest and most damaging in Canada even involved minors. If sound advice applies to this global effort to straighten out these juvenile delinquents, it’s to get them while they’re young. Because with their whole lives ahead of them, there’s at least hope that they can turn their life around, and side with the good someday. Perhaps they should even work in security because sometimes, as they say, it takes a thief to catch a thief.


    Hundreds of Phish Kits on the Loose header

    TrendLabs has received notice that hundreds of phishing kits designed to generate phishing sites are currently being actively used, including those used by the so-called Mr. Brain. To jiggle everyone’s memory, Mr. Brain is not an individual operating by his lonesome, but rather a group of phishers who are themselves targeting phishers.

    The newly discovered phishing kits — numbering over 400 — are targeting top Web 2.0 sites (social networking, video sharing and VoIP sites), free email service providers, banks, as well as the more popular e-commerce Web sites. Some of the major financial institutions are the following:

    • Barclays
    • BankOne
    • Charter
    • Chase
    • Citibank
    • HSBC

    Research Project Manager Ivan Macalintal is further investigating the matter. Updates will be provided as they come.

    Hat tip to MarkMonitor.

    Posted in Mobile | Comments Off on Hundreds of Phish Kits on the Loose


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice