With the Swine Flu H1N1 pandemic ongoing, malware authors are continuing to play on the public’s fears. We’ve seen spam use Swine Flu to take you to fake Viagra sites, scam sites selling Tamiflu, FakeAV using Swine Flue SEO, and legitimate sites set up to help people being infected with malware.
This week we’ve seen malware directly exploiting the current buzz. You’ll click on a file called “Novel H1N1 Flu Situation Update”, and you’ll open a Word document that looks like the following:
Unfortunately at the same time as you read about the spread of this infection, an electronic one will be attacking your computer. The file you opened was in fact a self-extracting zip file, and as well as dropping this “Novel H1N1 Flu Situation Update.doc” to the temp folder, it will also have dropped doc.exe to the same place. Doc.exe in turn drops make.exe, which drops UsrClassEx.exe and UsrClassEx.exe.reg – and now you’re in trouble.
This second file is just a registry file the malware executes to tell your computer to run UsrClassEx.exe every time you start up the computer – and it wants to do that because this file is a password-stealing Trojan. As well as cracking open stored passwords (even ones that you thought were safe and encrypted) it is also a keylogger, monitoring every key you press and every mouse-click you make – all this information gets stored in a file called kklog, and gets uploaded to a malicious website periodically.
If you do actually want to know more about the situation, you should visit the official CDC site from where the information in this Word doc seems to have been stolen.
We detect all these executable components as Troj/Agent-KPU and we’re blocking the call-home website too, so customers should consider themselves inoculated.