An email is currently being spammed which gives news about Hurricane Katrina. However that link it provides is to a site containing an exploit detected as JS_PHEL.K.
Upon viewing of the said site, an hta file named w.hta is downloaded to the system.
W.HTA then drops the file C:fh4uh.exe which downloads and executes win32sbk.exe from this site http://zone.{blocked}/3/win32sbk.exe
The file win32sbk.exe drops itself as smss.exe and then downloads and executes this file http://{blocked}.org/u/upd_0002.exe, which as of now is currently unavailable.
The site also contains a link to an article about the ZOTOB WORM, which contains a download link for a Zotob Worm Removal Tool. This Zotob Worm Removal Tool is actually a upx packed copy of win32sbk.exe.
All files have already been submitted to the service team. Hmmm…You get all that just from going to a website about a hurricane…
Upon viewing of the said site, an hta file named w.hta is downloaded to the system.
W.HTA then drops the file C:fh4uh.exe which downloads and executes win32sbk.exe from this site http://zone.{blocked}/3/win32sbk.exe
The file win32sbk.exe drops itself as smss.exe and then downloads and executes this file http://{blocked}.org/u/upd_0002.exe, which as of now is currently unavailable.
The site also contains a link to an article about the ZOTOB WORM, which contains a download link for a Zotob Worm Removal Tool. This Zotob Worm Removal Tool is actually a upx packed copy of win32sbk.exe.
All files have already been submitted to the service team. Hmmm…You get all that just from going to a website about a hurricane…
Here’s a snapshot of a sample “Katrina Hurricane spam.”
