Life Isn’t So Beautiful

SophosLabs encountered a newly spammed out Trojan today that’s making its way to email servers around the world.

The email has the following characteristics:

The subject lines can be any of the following:

“Life is beautiful”
“Life will be better”
“Good summer”
“help you”

The message contents are typically of the following:

“Good morning/evening, man!

Realy cool screensaver in your attachment!

Wanna more? Welcome to our site – <URL>

Good Bye.”

or

“Hello, old chap!

Cool screensaver in your attachment!

Wanna more? Welcome to our site – <URL>

Thanks.”

A sample screenshot of the spammed out Trojan looks like this:

Troj/Agent-FZB

The file attachment uses the filename bsaver.zip. Naturally, opening the file attachment and running the archived file within, bsaver.exe would not give you any screensaver. In fact, running the archived file will result in another 2 pieces of malware being dropped.

The main file bsaver.exe (detected as Troj/Agent-FZB) drops 2 kernel driver rootkits both of which are used to stealth the Troj/Agent-FZB Trojan (detected as Troj/NTRootK-BY and Troj/Agent-FVT respectively).