Today we have found a piece of malware that uses the so called "social engineering" to persuade users to infect their own machines. In this case it uses a file which is supposed to be an animation of USA's president Bush doing something funny.
It all starts with a MSN messenger message that arrives from one of our friends. These messages encourage you to visit a url to download this file
http://animaciones.xxx.xxxxxxpages.com/Bush-gracioso.exe Notice that the message is being sent by the trojan, which has some predefined messages to confuse users.
It uses "animaciones" as part of the url in an attempt to confuse the user. Of course if I saw any file ***.exe I shoudn't clic, but just in case someone didn't knew.
This page is hosted here:
IP address: 64.XXX.XXX.XX
Country (per IP registrar): US [United States]City (per outside source): New York, New York
Once the unsuspected user clics on the file, instead of the animation, a popup error informs that something has gone wrong. On the background the machine gets infected, and this trojan starts its duties.
First it kills some antivirus, and prevents the use of cmd command line, regedit.exe, and the task manager.
Then it copies itself with different names
c:WINDOWSAvconsol.exe Size: 49.152 bytes
c:WINDOWSZap.exe Size: 49.152 bytes
c:WINDOWSsystem32Hide32.exe Size: 49.152 bytes
c:WINDOWSsystem32Ttt.exe Size: 49.152 bytes
Then it becomes interesting, as it saves the IP of the infected hosts in an online database in
IP address: 212.xxx.xxx.XXX
Country (per IP registrar): SE [Sweden]Country (per outside source): SE [Sweden]
If you get access to the database, you get a list of online hosts.[Imageattachment]
We have extracted a geographical distribution of the infection. (Note that this only represents online hosts at this moment)