We have been seeing a recent wave of Trojan.Shylock variants with a lot of additional functionality than the older versions we have been used to.
Initially, many of these variants are detected generically as Backdoor.Trojan or Trojan Horse, but our new Shylock heuristic signatures (Trojan.Shylock!gen6 and Trojan.Shylock!gen7) should be changing this to a more accurate naming convention, and should be picking up a much wider spread of these threats.
Additionally we are hearing about some behavior that we have not been able to reproduce. Reports are saying that legitimate documents are getting hidden and then shortcuts with the same name of the document are being added in their place. These shortcuts actually launch a thumbs.db(x) file which is the Shylock Trojan, and they are meant to trick the user into running the threat. This is common behavior of for threats, as noted in this blog article from May 2012, A “LNK” to the Past. It’s also a common W32.SillyFDC tactic, so it’s possibly being dropped from an email, a website or another threat may actually be responsible for shortcuts as well as the dropping of the Trojan.Shylock. We are not currently able to confirm this behavior.
The current wave of Trojan.Shylock is communicating with the following domains:
These domains should be flagged by your perimeter firewalls and any machines talking to them pulled for analysis. Any files suspected of talking to these domains and not currently detected as Trojan.Shylock should be submitted to Symantec Security Response for analysis.
Reference and additional reading: