Threat Research & Response Blog
Well, after our last post, it certainly didn't take long to see some examples of festive malware from the wild. (You'd almost think that we've seen this kind of behavior before - again and again and again...) In the last couple of days, we (and other AV vendors) have observed the arrival of several new 'merry' malware on the scene. First, we have Worm:Win32/Prolaco.A@mm - this is a worm that spreads via e-mail and peer-to-peer file sharing networks. It also appears to be able to spread via removable drives. When spreading via email, it may use the attachment name 'postcard.zip'. The worm uses the following very Christmassy icon: For more details, have a look at our encyclopedia. Then we have TrojanDropper:Win32/Autorun.GR. This nefarious application has been distributed inside a ZIP archive with the name 'christmas.zip'. The archive contains the dropper's executable 'happy_christmas.jpg<150 spaces as such>.scr". When executed, TrojanDropper:Win32/Autorun.GR drops two files:
It then displays the jpeg and runs the worm.
The worm contains backdoor functionality and can be ordered to send particular URLs via Windows Live Messenger. This is likely to be the method used to distribute the dropper. Again, for more detail, have a look in our encyclopedia.
More festive nefariousness ensues...
Heather and HamishMMPC Melbourne