I got an email with the subject – “Your private photos are there for anyone to see. why??”
The e-mail message was – “Sorry to disturb you. Someone sent me thee pictures they seem to be from you and your boyfriend I’m really troubled by this why do you send your private naked photos around?? this is beyound my understanding. It’s in attachment”.
The attachment was ZIP archive named: EPS00348.zip.
Within this archive there’s executable file named: EPS00348.exe.
The icon of this file looks like very nice picture of nature; Green grass and blue sky, which most likely created in order to confuse and/or steal the user attention.
Be very careful, because this file is malicious and Total Defense AV detects and cures it as “Win32/Gys.A Trojan”
Only if the person which receives this email will run the executable file from the ZIP archive (sometimes need to extract the file from the archive) and only then the computer will be compromised.
On first execution, this file copies itself as to C:\Documents and Settings\All Users\svchost.exe
Then it creates the following registry key and value to run on each Windows restart:
Key = “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched”
Value = “C:\Documents and Settings\All Users\svchost.exe”
Then it will attempt to operate as backdoor, which means that full control of the compromised computer is given to the hacker.
Full control of the system means that the remote user (very bad guy) will be able to do everything on the compromised computer and will be also able to review all information within all files.
For more information about all definitions in this blog, please review our site and specially glossary.
http://www.totaldefense.com/support/security-advisor/glossary.aspx
One more things that this Trojan will do it attempt to download and execute other files from remote location.
These files can be anything and do anything.
Just in case you receive such emails – please consider to forward them to [email protected].
Leave a reply
