The spam email associated with this attack spoofs itself as an email from a Japanese government agency and entices the user to open the attached .zip file to check recent organizational changes. The attached .zip file contains 2 files: 0414.xls and 0414.exe. 0414.xls is a legitimate file containing a list of names, addresses, and personnel positions that may or may not really exist. There is no evidence to suggest that any exploit attempts are made on this file.
However, the other file, 0414.exe, is a variant of Backdoor.Darkmoon, which has a keylogging capabilities. At the time of writing, we have seen several variants of Backdoor.Darkmoon associated with this spam attack. One variant saves stolen information as the filename msvidctl, sends it to the remote attacker, and awaits further commands from cyhk.3322.org. Another variant sends information as the filename taskame to hi222.3322.org and opens a back door to the same site.
In the past, similar types of attack have occurred many times. We urge you to take extra caution and not to open attachments unless they are expected and come from a known and trusted source.
Message Edited by SR Blog Moderator on 04-16-2008 01:14 PM