Today we have found a piece of malware that uses the so called "social engineering" to persuade users to infect their own machines. In this case it uses a file which is supposed to be an animation of USA's president Bush doing something funny.

It all starts with a MSN messenger message that arrives from one of our friends. These messages encourage you to visit a url to download this file Notice that the message is being sent by the trojan, which has some predefined messages to confuse users.

It uses "animaciones" as part of the url in an attempt to confuse the user. Of course if I saw any file ***.exe I shoudn't clic, but just in case someone didn't knew.

This page is hosted here:

IP address:                     64.XXX.XXX.XX
Country (per IP registrar):     US [United States]City (per outside source):      New York, New York

Once the unsuspected user clics on the file, instead of the animation, a popup error informs that something has gone wrong. On the background the machine gets infected, and this trojan starts its duties.

First it kills some antivirus, and prevents the use of cmd command line, regedit.exe, and the task manager.

Then it copies itself with different names
c:WINDOWSAvconsol.exe        Size: 49.152 bytes
c:WINDOWSZap.exe             Size: 49.152 bytes
c:WINDOWSsystem32Hide32.exe Size: 49.152 bytes
c:WINDOWSsystem32Ttt.exe    Size: 49.152 bytes

Then it becomes interesting, as it saves the IP of the infected hosts in an online database in Sweden Spain.
IP address:           
Country (per IP registrar):     SE [Sweden]Country (per outside source):   SE [Sweden]

If you get access to the database, you get a list of online hosts.


We have extracted a geographical distribution of the infection. (Note that this only represents online hosts at this moment)

Country %
Argentina 19,05%
Spain 10,71%
France 8,33%
Brazil 7,74%
United States 6,55%
Venezuela 5,95%
United Kingdom 5,36%
Peru 4,76%
Others 31,04%