Malware authors don’t miss any major event in their attempts to spread malware. Evidently, they see the upcoming New Year as yet another opportunity to get their creations into unsuspecting users' computers. We have already seen signs of malware misusing this happy event. In most cases, these are spammed emails that look like legitimate “Happy New Year” messages or “New Year”-themed greetings.
Here is a recent example:
As you can see, the video can’t be played without, you guessed it, a fake version of Adobe’s Flash Player. As you probably realized, this is just a trick to download something malicious, which in this case is a variant of the well-known password stealer Win32/Zbot (SHA1: 6C5B80A73B4B728D7DF8BFBB142E10A6A29A0950). Once executed, it will inject itself into the address space of explorer.exe in an attempt to bypass security. When it connects to the Internet, an alert similar to the one below may be triggered:
Another example of malware using the New Year is related to a blog post from earlier this week. One of the samples of Exploit:Win32/CVE-2010-3333 (00d9af54c5465c28b8c7a917c9a1b1c797b284ab) drops malware detected as TrojanDropper:Win32/Meciv.A and Backdoor:Win32/Meciv.A. To hide its malicious dropping activities, it also drops a clean DOC file with the following New Year's message:
The message is in Russian and means: "Dear colleagues and friends! Happy New Year!"
While the techniques are not new, the social engineering employed may actually dupe users into running these malicious programs, because the New Year passing is regarded as a happy event and people tend to see the good rather than the bad.
As usual, we suggest that you stay sharp and carefully check all links and e-mail messages containing greetings and holiday themed e-cards, especially those from strangers or entities you haven’t been in contact with.
Many thanks to our colleague Kai Yu from the Antispam team for providing us with the sample.
We warmly wish you a “Happy New Year!” and may it be malware-free!
Andrei Saygo && Patrik Vicol && Rodel Finones