Do you think that Windows help file is safe? Think again.
Malware authors can create boobytrapped .HLP files, designed to infect your computer.
Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.
The file, Amministrazione.hlp (“Amministrazione” is Italian for “Administration”) was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers.
If opened, the help file displays an error message:
Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)
In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL.
Since SophosLabs first saw this malware attack we have been writing more generic detections which should help pick up new variants of the attack proactively:
|File name||Initial Detection||Generic Detection|
|Windows Security Center.exe||Troj/DarkDrp-A||Mal/DarkDrp-A|
The DLL part of the malware attack is the keylogger. It’s partof the DarkShell Trojan that has been tied to GhostNet.
The keylogger component is used to log keystrokes made by the user. These are stored in the following file:
\Documents and Settings\username\Local Settings\Application Data\UserData.dat
(where username is a specific username).
The malware attempts to send this data to images.zyns.com (a domain with a long association with malware).
Stay safe everyone – and remember not to click on .HLP files too readily. They could be harbouring a malware attack.