Posted on behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services
MessageLabs Intelligence tracked a new targeted attack yesterday using emails pretending to be from the New York Times sending out it's "Times Reader" software hitting six different domains. One domain was a public sector domain, one was a law firm, three were to chemical companies, but most interestingly the last one was an online gambling company. All are UK based companies. The email attacks appear to have originated from Greece. We can't see this being used as a botnet.
When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data which resolves to an IP address in Denmark which looks like a computer on a home network. It doesn't display anything when you run the exe, so the victim wouldn't know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session open. It drops 2 files in the C:\windows\system32 directory as rundl32.exe and also rundl32. This dropped virus is a keylogger with rundl32 file containing what it is you are writing. After a while, the virus shuts down and deletes itself.
The emails contain no text as such, just a picture;
The Promo picture it displays is;
The "Times Reader 2.0" software was released in 2009 and yet is being used to try a coax the recipient into running viral content.
Skeptic successfully blocked all copies of this attack using its unique and patented predictive analysis technology.