NEWS FROM THE LAB - Friday, April 13, 2007

Zhelatin, Zipped, Zecurity? Posted by Ian @ 02:19 GMT

Earlier today, several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:

   A Dream is a Wish
   A Is For Attitude
   Eternal Love
   Eternity of Your Love
   Falling In Love with You
   Hugging My Pillow
   Inside My Heart
   Kisses Through E-mail
   Our Journey
   Sent with Love
   When Love Comes Knocking
   You're In My Thoughts
   You're the One


The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These include:

   Love Card.exe
   Love Postcard.exe
   Greeting Card.exe

All files are detected as Email-Worm.Win32.Zhelatin.ct.

A second run occurred after a few hours. This time, the subjects were security related.

Subjects include:

   Spyware Alert!
   Virus Alert!
   Worm Alert!
   Worm Detected!

Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment.


Something new to the Zhelatin family is the use of a password protected Zip archive as an attachment. The filenames vary but they have the following format:

   patch-[4 to 5 random numerical characters].zip
   hotfix-[4 to 5 random numerical characters].zip

The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.

Executables are also detected as Email-Worm.Win32.Zhelatin.ct while the Zip archives are detected as
Password-protected-EXE. Latest detections are included in update 2007-04-13_01.