Today, out of boredom, I decided to check the kind of spam I receive in my Gmail inbox. Since all the spam emails had the the same kind of spammy-attractive titles, I decided to check the first one, succulently titled “Video Paris Hilton Nude !”. The email had a conspicuous hyperlink with an H1 anchor text to a file “video-paris-hilton.avi.exe“.(Notice the .exe at the last).
Like an unsuspecting average Joe, I decided to download the file and see what it has in store for me. I scanned the downloaded file with Kaspersky Antivirus and it failed to detect any rogue code in it. So, I decided to run it and see what it does. It’s actions seemed innocuous at first. Double clicking it generated an error :
Feeling kind of dissatisfied, I continued with my work. After a few minutes, suddenly, my wallpaper changed to this :
And I got a warning from KIS that the malware was trying to access the internet. I promptly blocked it.
Now, my first action was to try and change the wallpaper. But I found the ‘Desktop’ and ‘Screensaver’ tabs missing from the Display properties window.
But I’m not the one to easily give up. I did some research and found out that the malware had disabled the Desktop and Screensaver tabs by modifying some registry entries, namely ‘NoDispBackgroundPage’ and ‘NoDispScrSavPage’ from ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System’. It had modified it’s value from 0 to 1; which had disabled them.
I re-modified the entries to their default values and got back the Desktop and Screensaver tabs in the Display properties window. Then I changed my wallpaper to the previous one.
On the next reboot, I found that the malware copies itself to the ‘C:\Windows\System32’ as lphcvtmj0ejdn.exe, and creates an autoloading entry in the registry which will run the malware on every reboot. I removed the entry from ”HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache” and deleted the file from the ‘system32’ folder.
I’ve already sent the malware to Kaspersky Labs for analysis. I’ll update this post when I hear from them.
Update : Response from Kaspersky Labs :
Hello,
video-paris-hilton.avi.exe_ – Trojan-Downloader.Win32.Small.aboa
New malicious software was found in this file. It’s detection will be included in the next update. Thank you for your help.
Please quote all when answering.
—
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/
All’s well that ends well!