• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   ‘Classmates Reunion’ Used as Malware Ploy

‘Classmates Reunion’ Used as Malware Ploy

  • Posted on:January 1, 2009 at 11:42 am
  • Posted in:Malware
  • Author:
    Florabel Baetiong (Anti-spam Research Engineer)
1

Class reunion invitations (supposedly from classmates.com) are being seen in  spam recently — recipients of these messages are asked to click on a link found in the message to get the details of the “reunion” and also see a related video.

Looking at the IP origins of sample spam messages, it appears that these have been sent out by spam bots using dynamic IPs from different dialup and broadband ISPs.

Sample bogus message supposedly from classmates.com
Figure 1. Sample spammed message.

Clicking on the link would actually direct users to a malicious webpage. In this page, a message prompts users to update their Adobe player to be able to view the reunion video, thus tricking them into executing a malicious file.

Trend Micro detects the file as TROJ_AGENT.ADB.

Snapshot of the malicious website
Figure 2. Malicious website.

The Trojan connects to a remote URL to download TSPY_AGENT.AHCN. This spyware gathers information, MS IE FTP Passwords, and WinInetCacheCredentials, which are Protected Storage items. It uses HTTP post to send the information it has gathered to certain URLs.

This information-stealing routine risks the exposure of victim’s sensitive information, which may then be used by cybercriminals for malicious purposes. TSPY_AGENT.AHCN also has rootkit capabilities that enable it to hide its files and processes from a user.

The Trend Micro Smart Protection Network already blocks these spammed messages and detects the Trojan and the spyware, keeping users PCs safe from infection. Non-Trend Micro users are always cautioned against trusting unsolicited email messages. Clicking links and downloading files from unknown locations almost always lead to malware.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: classmates.com spamMalwaremalware blogsmart protection networktrend micro blogtroj_agent.adbtroj_agent.ahcn

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

Popular Posts

  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Banking Trojan DRIDEX Uses Macros for Infection

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.