For the week of
02 Jun 2011
Threat
1
Worm spreads itself with fake software updates
Threat Name:
Troj/Bckdr-RHJ
Users at Risk:
Windows users
Also Known As:
AVP Trojan-Dropper.Win32.TDSS.aojr
Microsoft VirTool:Win32/Obfuscator.PN
Symantec W32.SillyFDC.BDP
About:
Troj/Bckdr-RHJ is a worm that spreads by infecting machines on the same local network and by copying itself into removable media.
The worm spreads over LANs by setting up a rogue DHCP server on the infected machine. When a machine in the same LAN sends a DHCP request, the worm tries to supersede the main DHCP server replying with an IP.
If successful, the infected machine will serve as a gateway for a fake software update that pops up whenever users try to browse a website. The fake software update is just another variant of the same family.
The other way the worm spreads is through removable media. In this variation, the worm drops several link files (myporno.avi.lnk, pornmovs.lnk, setup.lnk and autorun.inf) pointing to a copy of the worm.
Sophos detects the link files as Troj/Cplink-O and the auto run file as W32/Autoinf-CC. The malware infection is also detected in memory as W32/RorpiaMem-A.
Threat
2
Spam spreads malware with fake notifications
Threat Name:
Troj/Agent-RNY
Users at Risk:
Windows users
About:
A spam campaign running since the middle of May is spreading malware using infected attachments. The spam comes from infected machines from Indonesia, Brazil, Vietnam, Russia, Denmark, India, and Turkey, to name just a few locations.
Many third party block lists already filter the sending IPs. The spammers don’t appear to have a specific target to the campaign, other than seeking to hit as many users as possible. This is apparent in the large number of feeds on which we have seen messages.
The spammers try to trick the recipient into clicking on the attachment, which will run the malware and infect the user's machine. These messages claim to be delivery notices from a postal service or courier, or a gift card notification, often claiming to be a referral from a friend. Here are some sample subject lines:
GIFT-CARD From Your Friend 136836
USPS Ticket id. 7148159
DHL Global notification #20267
The email attachments are similarly named, but they always use the pif extension:
usps.pif
DHL71515.pif
gift-card.pif
e-card.pif
Sophos proactively blocks the spam campaign, and the attachments are detected as Troj/Agent-RNY and CXmal/Agent-RNY.
Threat
3
Dominique Strauss Kahn video infects users on Facebook
Threat Name:
Troj/Mdrop-DMN
Users at Risk:
Windows users
Also Known As:
Avira TR/Spy.ZBot.34.48
About:
Troj/Mdrop-DMN is a Trojan spread virally across Facebook, claiming to be a video of controversial IMF boss Dominique Strauss-Kahn.
Troj/Mdrop-DMN first appears in your timeline as a message apparently posted by one of your friends.
Message body:
oh shit, one more really freaky video O_O IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!
[LINK]
IMF chief Dominique Strauss-Kahn rape scandal. Mother of Alleged Rape Victim: Dominique Strauss-Kahn Did Not Want To Be President of France - ABC News
If you click on the link from a Windows computer it's possible you could be taken to a webpage that attempts to infect you with the Troj/Mdrop-DMN Trojan horse.
This Trojan can access the Internet and communicate with a remote server via HTTP. When it does, it will try to access the following location:
ultrafastsearch DOT com