News
Contributed by: Aurelija
Date: October 27, 2008
Security researchers at Trend Micro have released a report warning all users against a new spam campaign that is being spread mainly in Germany. Even if you don't understand German but accidentally receive an email in German, don't open and click on anything called "Rechnung", because all you will receive is malware. Experts note that circulating emails have diverse subject lines (e.g. "Abbuchung", "Lastschrift", "Amtsgericht" etc.) and are also differently written. However, it's important to note that they all share the same topic. In other words, emails belonging to "Rechnung" campaign provide information that money has been debit directly from user's account. Below you can see a screenshot of a sample email:
Recipients of these emails are prompted to click on the provided attachment called "Rechnung.zip". After the extraction of "zertifikat.ssl" file, computers will get infected with the WORM_AUTORUN.PB malware. This worm makes the following registry entry modifications:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] The archive also has a file "Rechnung.txt.lnk" which, as you can see, comes with double extensions. Trend Micro specialists emphasize that "due to the default Windows Explorer configuration the extensions of known files are kept hidden so that mostly this file Rechnung.txt.lnk is displayed as Rechnung.txt in the archive as after it is extracted on disk." The message of these emails informs recipients that they don't "have to care the ‘zertifikat.ssl' file since this is only the certificate for the invoice itself." In this case spammers are trying to trick recipients by claiming that all that really needs to be double checked is the file "Rechnung.txt.lnk". And, in fact, they can't be blamed for lying. zertifikat.ssl file doesn't execute after a simple double-click. It executes when It's also important to note that .lnk files execute automatically the path inside their code. In order to execute the .ssl file properly, "Rechnung.txt.lnk" file calls the system's command line c:\Windows\System32\cmd.exe to execute the zertifikat.ssl from the current directory. The execution through LNK files is one of the usual functionalities and features of Windows operating system. When experienced users try to open the .lnk file even with an editor, he or she will be confused by seeing the contents of the file zertifikat.ssl. Actually to view the original file, the user needs to rename it first by using the command line (cmd.exe). Users are advised to stay extremely alert and not to allow cyber criminals to trick them. As always, don't forget to keep your anti-virus software and anti-spam filters up-to-date. |
|||||
the Rechnung.txt.lnk file, connected to it, is opened.
Recommended Software
Latest Comments
July 2, 2009
User Comments
After trying out for all antispyware softwares available in market I finally switched on to search-and-destroy which helped me to remove dangerous Trojans stalling my computer for several days¦¦you too go for it ¦..It works.