As we can see, the mail claims to provide details about NFL football games. And, when we visit the link given in mail, we are presented with a fake webpage that shows schedules of NFL games. Here's a screenshot of one such webpage:
Surprisingly, there's no drive-by-download this time! But ALL hyperlinks present in that page point to a file named
tracker.exe.The file
tracker.exe seems to be slightly different from the old variants (ecard.exe, video.exe etc.) and detections are poor at the time of this writing. Only 9 out of 32 AVs at VirusTotal managed to detect this malware:File tracker.exe received on 09.08.2007 22:46:16 (CET)
CAT-QuickHeal --- (Suspicious) - DNAScan
eSafe --- Suspicious Trojan/Worm
eTrust-Vet --- Win32/Sintun.AF
F-Secure --- Tibs.gen134
Microsoft --- TrojanDropper:Win32/Nuwar.gen!avkill
Norman --- Tibs.gen134
Sophos --- Mal/Dorf-D
Sunbelt --- VIPRE.Suspicious
Webwasher-Gateway --- Win32.Malware.gen (suspicious)
Additional information
File size: 140521 bytes
MD5: 814fe2cdd86e01a5369def9cd9a13458
SHA1: 4cb7ad77d79286911b1c82c548d7f9e0dcda88d1
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Tracker.exe, on execution, drops spooldr.exe, spooldr.sys and also patches tcpip.sys in a similar way as mentioned in a previous post here.
0 comments:
Post a Comment