NEWS FROM THE LAB - Tuesday, July 21, 2009

Real-world Viruses vs Computer Viruses Posted by Mikko @ 08:13 GMT

Novel H1N1 Flu Situation UpdateWe recently saw this malicious file being spread in e-mails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file.

When the file was opened, it created several new files to the hard drive:

  •  %windir%\Temp\Novel H1N1 Flu Situation Update.doc
  •  %windir%\Temp\doc.exe
  •  %windir%\Temp\make.exe
  •  %windir%\system32\UsrClassEx.exe
  •  %windir%\system32\UsrClassEx.exe.reg

The executables contain backdoor functionality, including an elaborate keylogger.

And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file. This is what the document looks like.

Novel H1N1 Flu Situation Update

We detect this file (MD5 d8a9fb16318130ccd7924e03b33070c1) as Agent.avzq.