Email Spam Trojan Changes Slightly

 Posted by on August 18, 2008  Add comments
Aug 182008
 

Last updated on November 20th, 2015

My recent post email-spam-trojans-hiding-on-websites-as-msnbc-breaking-news-items led with the effect and infection method for the Win32/Agent.ETH trojan.  Well now they’ve changed their attack a bit but the Trojan is the same… 😕

Now the emails have the following identifiers:

From:     Top News Agency

Subject:  Weekly top news

The sequence of events shown at the beginning of the original post  is the same. You can’t escape the dialogue box without crashing or killing your browser, or clicking OK which “apparently” tries to play a video but then says you need a security download to view it.    However, the infected file has a new name!

Previously it was called Adobe_flash.exe

Now it’s called install.exe

Also, the text of the email message looks more readable, and thus plausible by using current news:

Iran test fires rocket, says state media

The launch of Iran’s two-stage rocket, called Safir or “messenger,” was successful on Saturday and “paved the way for placing the first Iranian satellite in orbit,” the official Islamic Republic News Agency reported.
Read All (27) breaking news
AND 44 shocking videos [links to bearofpa.com/index1.html]

The result is still the same though!

NOD32_ETH_Trojan

NOD32 ETH Trojan as it lies waiting on BEAR of Pennsyvania website

In this case the website is a seller of children’s play equipment.  It was made in Dreamweaver 6.  Bizarrely, the website blocks right mouse clicks (probably to protect their pictures), although I can see the source by using a Firefox add-on.  This is the first line:

<html><!– #BeginTemplate “/Templates/newwelcometemplate.dwt” –><!– DW6 –>

It’s a shame for them because now they are hosting a trojan.  They should protect their root a bit more, rather than playpen pictures!.   (This website has a wodge of good information on these email attacks with the interesting statistic that 1 in 3 spams point to malware – added 6 Sep 2009).

A second email had this content:

New Year’s baby’s death shatters family, relationships

Just 12 weeks later, he was bathed in warm water minutes after he quietly died in his mother’s arms, the victim of shaken baby syndrome. Camryn’s 9-year-old sister, Tabatha, asked why he needed a bath now.
Read All (34) breaking news
AND 38 shocking videos [links to bamtec.hu/index1.html]

I’ve checked this also and it looks like https://www.bamtec.hu/ have spotted the intruder and deleted it or else the spammer couldn’t drop their package into the target and sent the email anyway.  Either way, it’s not there now as I post this message! 😀

STOP PRESS:

Just as I wrote the above, this news has surfaced about the MSNBC spam; Clipboards hijacked in web attack

This is virtually the same as my experiences.  I didn’t notice the clipboard being overtaken, but that’s because I detected the malware.

F-Secure have a description here.  They call the malware Trojan-Downloader.Win32.Exchanger.mn

I think it’s important that trends are spotted and people are informed.  Computers are powerful tools, easily abused.  This twat, Robert Matthew Bentley, got his comeuppance for making a botnet.  Sadly, there are many still out there making people’s already tedious lives more so from their activities.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

© 1977, Strangely Perfect.