Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Rainer Link (Senior Threat Researcher)

    A new wave of spammed emails with malicious attachments can be seen on the Internet. An email that promises cigarettes at very low prices comes with a password-protected archive that contains TROJ_YABE.BJ.

    Usually passwords are used to ensure the recipient gets exactly what the sender sent and to ensure nobody else accessed it. In this case everybody receives the same password, so all the security is gone. But this might trick users to believe the attachment is safe. This way of social engineering bypasses security by faking security.

    The email is send in the name of “Zigaretten GmbH” and the subject line – among others – is
    “Rauchen ist jetzt billiger ab 1 Euro”. The text just lies when it says something like: “your personal archive password is: angebot”

    We would suggest to temporarily block mails that come with an attachment named for example “Angebot.rar”, “Ausverkauf.rar” or “Preis.rar” and From display name is “Zigaretten GmbH”, if you run security solutions like IMSS. As usual, don’t open any attachments from untrusted sources or sources you simply don’t know.

    Posted in Bad Sites | Comments Off on Usage of security features to bypass security

    A new WORM_NUWAR.CQ variant (filename: postcard.exe, 50,648 bytes) is spreading since yesterday night. This worm is detected since CPR 4.250.01. Once again, faked bills with the subject “KD Webshop Bestellung ” are seeded. Attached is the file “rechnung.exe” (file size: 8.522 bytes), which is detected by IntelliTrap as PAK_Generic.001. Detection will be available in the upcoming CPR as TROJ_YABE.BK. Faked “1&1″ bills are seeded, too. Attachment name is “” (file size: 7.016 bytes), which will be detected as TROJ_YABE.BL. As usual, don’t click on .exe files, and, if possible block .exe files in general on your email server or gateway.

    Posted in Bad Sites | Comments Off on New WORM_NUWAR.CQ variant, new faked 1&1 bills, new faked “KD Webshop Bestellung”

    Since 31/01 late afternoon, faked eMails appearing to be from the BKA (Germany’s Federal Criminal Police Office) are being spammed within Germany. The subject of such eMails are “Ermittlungsverfahren Nr. [number]”, where [number] is a random number. The email attachment is an EXE-file (e.g. 2981956.exe), which is detected as TROJ_DLOADER.KHZ. This trojan downloads another malware, which is detected as TSPY_BZUB.GK. If you receive such an email, just delete it. As a general advise for a corporate environment please block all .exe or .com files, if possible. The BKA issued a PR on this issue. If you assume your computer is already infected, you’re welcome to use our free online-scanner HouseCall.

    Posted in Bad Sites | Comments Off on Faked BKA eMails are being spammed

    11:32 am (UTC-7)   |    by

    There is a new Yahoo phising site spotted located at It spoofs the Yahoo!Photos site.
    Below is a snapshot of the site. Just click the picture for a fuller view.

    The site has already been submitted to Web Blocking Team.
    Posted in Bad Sites | Comments Off on YM Phising Site

    There are reports of a zero-day exploit code out in the wild for client side RealPlayer and Helix Player. A format string vulnerability found in the said media players can be exploited to execute malicious codes in the affected system. A specially crafted media, which include the .RP (realpix) and the .RT (realtext) file formats, can trigger the vulnerability.

    It is also quoted in the exploit code that RealPlayer was informed about the vulnerability. However, the exploit code was released to the public before RealPlayer came up with a patch for the problem. The author of the exploit apologized for the untimely release of the code as quoted below.

    “Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry!

    Moral of the story, don’t talk about personal research on IRC. Thank you plagiarizers”

    Posted in Bad Sites | Comments Off on UNIX Real Player – Possible Zero-Day Exploit


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice