NEWS FROM THE LAB - Wednesday, September 10, 2008

What's The Latest Buzz? Posted by Response @ 06:25 GMT

The 2008 US Presidential Election is well on its way, and what news could be more enticing than an alleged sex scandal involving one of the candidates?

The latest e-mail spam run on the loose contains a link to an supposed pornographic video of Democratic candidate Senator Barack Obama.

In order to conceal the trojan's primary intent, a pornographic video will be opened once the file is downloaded and executed. Along with the video named 01.wmv, the trojan drops another malicious file onto the system called 809.exe. Next, it registers the file siemens32.dll as a Browser Helper Object (BHO).

As a result, every time Internet Explorer is launched, the malicious BHO is being referenced. As soon as the user connects to specific banking sites, especially well-known banks in Germany, the trojan collects the information gathered from the bank transactions then posts it to the "Medved Hotel", Finland.

Medved Hotel

Interestingly, there is no Medved Hotel in Finland. The website, however, looks real enough to fool unsuspecting users and the layout was apparently borrowed from a real Finnish Hotel, Bear Inn, in order to make a bogus site out of it.

Hotel Bear Inn

Can you spot the difference? Both the websites are almost the same except for the discrepancy on the right side of the page.

Currently, we have reported this to local authorities and they are working on getting the site shut down. All of the malicious files mentioned are detected as Trojan-Spy:W32/Banker.ISO.

Response Team post by — Mark