NEWS FROM THE LAB - Thursday, November 24, 2005

Gold, now Posted by Mikko @ 09:11 GMT

Well, it's not all just Bagle that we're seeing lately.

Here's an interesting way to distribute a new trojan.

Somebody has been sending out significant amounts of fake emails, claiming to be from "GOLDNOW SHOP Billing Team". No such company exists. Also credit card merchant CCBill is mentioned, but they are not related to this case in any way.

The mail warns that your ring order of $277.50 has been denied and instructs you to get details from the attachment. The attachment (surprise, surprise) contains an executable called GSBILL.EXE

When scanning the file you'll find out that:

 gsbill.exe Infection: Trojan-Proxy.Win32.Agent.hx

This trojan doesn't replicate by itself, so this email has simply been spammed out by the attackers, hoping that people are fooled by the fake bill and launch the trojan while searching for more info.