October 28, 2008

Doctor Web has registered an increased number of spam messages with an attached archive containing a malicious program detected as Trojan.Packed.1198 by Dr.Web anti-viruses.

A message with the catchy subject line reading “New anjelina jolie sex scandal” lures a user into opening an attached archive supposedly containing a short pornographic vide clip. The trick is often used by spammers, however, in this case it spread so widely (according to the stats server of Doctor Web it exceeded 50% of infected mail traffic in busy hours) that a lot of machines in Russia and other countries have been infected by Trojan.Packed.1198.

An attached archive contains the anjelina_video.exe file. The installer (file size is 44 032 bytes) creates a file detected as Trojan.MulDrop.17829. The malicious program checks if any fake anti-virus (a modification of Trojan.FakeAlert) is installed in a system. If there are any, the Trojan will stop operating and remove itself. If no fake anti-viruses are found, the Trojan will get to its malicious work.

First of all Trojan.MulDrop.17829 will decrypt one of its files and place it in the system directory as brastk.exe. The file will also be detected as Trojan.Packed.1198 because it features a packer similar to the one used for an original file. The Trojan will also save the Figaro.sys file in the system. The file temporary replaces the bep.sys driver file so the Trojan will hide launch of its drivers from many anti-rootkits. After that the Trojan will delete its original file and reboot the system.

Malicious activities of the Trojan consist in alteration of security zones configuration, disabling of warnings related to a disabled anti-virus, a firewall or automatic updates. The Windows firewall will be disabled as well. Next the Trojan will remove Internet Explorer extensions data from the registry and set Google as the default search engine and www.google.com as the start page. Eventually the Trojan will display an infection alert and offer a user to download anti-virus software. Mind that the Trojan downloads malicious files before it displays the infection alert.

The highest amount of spam messages containing Trojan.Packed.1198 was registered on October 20-22. Since October 25 Trojan.PWS.Panda.31 is spread in messages with ithe dentical subject and body text.

Doctor Web warns users against opening attachments that come with messages from unknown addresses and urges them to be more careful when examining what a strange message is offering. If one chooses to install a Dr.Web anti-virus in an infected system all threats related to Trojan.Packed.1198 will be neutralized promptly.