A bit of weekend rabbit phishing…

Since earlier on today, we have been seeing an ongoing phishing attack against PayPal, and not the usual phishing email enticing the victim to click on a rogue site. Instead, the attackers have spammed out malware within a RAR attachment, using the filename rabbits.rar.

A variety of other subject lines and message bodies have been seen as well.

Anyone opening the attached archive will be greeted with malware (rabbits.exe) that once executed will:

write adobe.vbs to the temporary folder
run the script, using wscript.exe

The malicious VB script is a simple Trojan, overwriting the contents of the HOSTS file in order to redirect PayPal related domains to a specific IP address.

Attempting to access any of the domains subsequently will result in actually loading content from the phish site.

Detection for this malware (executable spammed out and the VB script) was included in the alert earlier on today as Troj/Agent-IYU.

To my mind, the social engineering behind this one seems rather obscure. Then again, perhaps there are more rabbit fanciers out there than I imagine…

Posted on February 21st, 2009 by Fraser Howard, SophosLabs UK
Filed under: General, Uncategorized

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog