Malware Sent via PDF Attachment
If you have IndigoGUARD you are protected.
Subject: setting for your mailbox are changed
SMTP and POP3 servers for mailbox are changed.
Please carefully read the attached instructions before updating settings.
When the attached document is opened, the recipient’s PDF viewer will execute the /Launch command included in the document parameters. This will, in turn, pass echo statements to cmd.exe to create a vbscript file called “script.vbs”, which will then extract a second script called “batscript.vbs”, and then finally use that to create and run a Trojan executable called “game.exe.” Game.exe attaches itself to Windows Explorer and creates a new schost.exe service in order to hide itself and to ensure that it is always running.
Three seconds after installation, the original script file cleans up the remaining evidence by deleting the scripts and executable files created during infection. The new svchost.exe process will then periodically contact three domains over HTTP: jademason.com, 1foxfiisa.com, and dolsgunss.com, in order to download new code or instructions, or upload stolen data.
According to NitroSecurity’s SIEM Blog, some of the major antivirus products from vendors such as Avast, AVG, Symantec, McAfee, eTrust, and Trend Micro currently have signatures available to detect the file attachment as malicious; however, few of the remaining top 40 antivirus products are able to detect any of the files associated with this attack. Gladiator recommends that users do not open any emails or attachments like the ones described above and should always exercise caution regarding any suspicious or unsolicited email received.