For the week of
26 Oct 2009
Threat
1
Trojan exploits Internet Explorer vulnerability to download malware
Threat Name:
Trojan: Troj/Psyme-KS
Users at Risk:
Windows users
Also Known As:
- Avira: HTML/ADODB.Exploit.Gen
- Trend Micro: VBS_PSYME.DMB
- Microsoft: TrojanDownloader:VBS/Adodb
- Symantec: Downloader
About:
Troj/Psyme-KS is a downloader script embedded in a hta file. Hta files are similar to html files except Internet Explorer sometimes uses different security settings when opening them.
This Trojan typically arrives in spam messages, typically about an unreleased Michael Jackson song or a September 11 conspiracy theory. These messages contain links to web pages infected with Troj/Psyme-KS. When opened, the Trojan attempts to download software from compromised websites.
Threat
2
Fake server upgrade messages disguise malware
Threat Name:
Virus: Mal/EncPk-KP
Users at Risk:
Windows users
Also Known As:
- Avira: TR/Vilsel.iop
- Kaspersky: Trojan.Win32.Vilsel.iop
- McAfee: FakeAlert-XPSecCenter
- Microsoft: TrojanDownloader:Win32/FakeRean
- Trend Micro: TROJ_FAKEREAN.CF
About:
The Trojan arrives as an attachment in fake e-card messages, with text as follows:
Good day.
To view your ecard, open zip attached file.
Mal/EncPk-KP is a set of common code obfuscation techniques used by cybercriminals to disguise their malware. In the case of Mal/EncPk-KP, the techniques conceal fake anti-virus malware.
Once installed, this fake anti-virus software usually displays alert messages claiming the user's computer has been infected with various malware. The software will then prompt the user to purchase an activation license to have these malware removed. It is also not uncommon for this fake anti-virus software to use the harvested information from the purchase to commit identity fraud.
The malware typically arrives as an attachment to an email claiming to be from IT support. A typical email sample looks like this:
Subject: A new settings file for the ___ has just been released
Dear user of the ___ mailing service!
We are informing you that because of the security upgrade of the mailing service
Best regards, ___ Technical Support.
Threat
3
Malicious zip file poses as free Conficker scanner
Threat Name:
Malware: Mal/ZipMal-C
Users at Risk:
Windows users
Also Known As:
- Avira: TR/Vilsel.ioa
- Kaspersky: Packed.Win32.Krap.ah
- McAfee: Generic FakeAlert
- Microsoft: TrojanDownloader:Win32/FakeRean
- Trend Micro: TROJ_FAKEAV.BLV
- Symantec: Trojan.Fakeavalert
About:
Mal/ZipMal-C is a malicious zip file usually sent by spam containing several different families of malware. The spam campaigns use social engineering methods to trick the user into extracting the zip file. In one such campaign, the emails pretend to contain a free Microsoft scanner to find Conficker infections.
The file attached to these fraudulent emails is usually named "install.zip." Content of the zip file itself varies according to the criminals that sent it, but the files often include Mal/EncPk-KP or members of the Zbot (also known as Zeus) family of malware.