Attackers are busy monitoring current events so they can distribute malware that appears relevant, such as sending spam message containing links to malware with contextual references to the 2008 Olympics in Beijing, or other current events.
We recently began receiving reports of a new spam run with an attached malicious password-protected .ZIP file. The message text below is a sample of the message that was sent. Note that this is an example of social engineering. The context of the message is crafted to incite and provoke the reader to proceed along the lines required to infect the recipient. The content need not be truthful and often is not.
The message may be in the following format:
Date: 8/20/2008 10:57:02 AM
Subject: Journalists shot in Georgia
Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.
Real photo in the attachment
attach password: 123
The password-protected .ZIP archive contains an executable that's identified as "TrojanDropper:Win32/Twores.gen" by current signatures for Microsoft antivirus products. The trojan attempts to download a binary from a predefined Web site - this binary is also identified by current signatures as "TrojanDownloader:Win32/Renos.gen!AQ":
Renos.gen!AQ is a generic detection for malware that's known to download and install rogue security applications that display false alert messages with claims of the system being infected.
-- Patrick Nolan