Sponsored by..

Tuesday 21 October 2008

"Data request" trojan

Another EXE-in-ZIP-disguised-as-a-DOC trojan, similar to this one.

Subject: Data request
From: "Billy Roark"

Please find the document attached to this message. The report was issued today.
Requested account details have been altered successfully.

Thank you for contacting us.

The attachment in this case is called Statement_January-October.zip and contains an executable named Statement_January-October.doc[44 spaces].exe. The blank spaces are designed to push the .exe part of the filename down so that it is invisible.

It is a different binary from yesterday with better detection rates. But the best cure for this is avoidance, and blocking EXEs-in-ZIPs is the best cure.

No comments: