Vivio Lure Spreading Crimeware

Websense Security Labs has discovered a new information stealing, malicious code attack, which appears to provide more evidence that Russian based malicious code writers and Brazilians are either working together, or are sharing tools or information.

If users click on the link within the email, they are redirected to a page that is hosted in Russia. That page attempts to exploit the user with the "VML" vulnerability. If the user's PC has not been properly patched, the site downloads and runs an executable called "stylecss.exe". This file is packed with "Yoda's protector," and has an MD5 of b6b2ccb8d1b862fa92c71a17c1795af2. The file adds information to the Run key in the registry: (C:\Arquivos de programas\ExAlien.exe). Once running, the file is designed to steal information from end-users when they visit banking websites. WebsenseŽ - Security Labs Alert: Vivio Lure Spreading Crimeware

Linked by shanmuga Wednesday, 31st January 2007 11:42PM