A legitimate Canadian website is hosting a Trojan:
www.getwiththeprogram.ca/IMG2713.zip
The zip archive contains a file with a .cpl extension.
Control Panel Files are normally used by the Windows Control Panel where each icon corresponds to a file, such as Access.cpl, Appwiz.cpl etc.
Anyway, what a lot of people don’t know is that such files can be run by double clicking them, just like any other “.exe”.
This is what happens when you execute it:
Which triggers an escalation of malicious code:
More malware is downloaded from:
opt2011opt.epac.to (IP: 212.124.117.230)
File system modifications include the creation of a “programfiles” folder (not to be confused with the legit Program Files one):
One of the immediate payload of this Trojan is spam, at a rate of several hundred emails per minute:
This particular spambot is targeting Brazilian users, as you may see during the infection process:
The bad guys left out a ‘counter’ page in the clear which you would have caught if you were running Fiddler:
It shows you other infected computers, with the vast majority located in Brazil:
I have contacted the Canadian website mentioned above so they remove this piece of malware to prevent further infections.
Jerome Segura
Leave a reply