It was a busy morning, for a weekend, but nothing out of the ordinary. In the afternoon a new variant of the Dlena family of proxy Trojans came in. It seems the author thought he would try a new trick.
Troj/Dlena-B has much in common with Troj/Dlena-A, but instead of copying itself to <System>\rpcc.exe, it installs itself as <System>\rpcc.dll, modifying just one bit of one byte in the file, namely the flag that tells Windows "this is a DLL."
Given that the <System> folder contains mostly DLLs, maybe the author thought this would be less conspicuous and help evade detection? It is true that anti-virus products sometimes use contextual information, and sometimes process DLL files and EXE files differently, but in this case the author shot himself in the foot: In our internal lab analysis three extra Genotype characteristics were automatically triggered, each saying "This DLL file looks more like an EXE than a Dynamic Link Library."
Did he really think we would be so easily fooled?
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
